Set up the security permissions on a target file server to make sure that users have access only to the files that they back up.
By default, the first client that connects to a specific server share creates the RealTimeBackup directory. Permissions that are assigned to the RealTimeBackup directory do not prevent users from reading files that they do not own.
The settings that are used in this example assume one primary user of Tivoli® Storage Manager FastBack for Workstations on the client. This primary user is the first user that connects to the server and creates the subdirectory for files that are backed up from the client. If Tivoli Storage Manager FastBack for Workstations operates from other accounts on that client, failures might occur when copying files to the remote server. Error messages such as Failed to open the destination file are logged to the activity report.
ACL settings enable client accounts to create directories that are only accessible by the account that created them. As a result, the directory that contains data for a node is not created until that node connects to the server.
Type | Name | Permission | Applies to |
---|---|---|---|
Allow | Administrators | Full Control | This folder, subfolders, and files |
Allow | CREATOR OWNER | Full Control | This folder, subfolders, and files |
Allow | Users | Special | This folder only |
Allow | OWNER RIGHTS* | Full Control | This folder, subfolders, and files |
Traverse Folder / Execute Allow
List Folder / Read Data Allow
Read Attributes Allow
Read Extended Attributes Allow
Create Files / Write Data Allow
Create Folders / Append Data Allow
Delete subfolders and files Allow
Read Permission's Allow
The RealTimeBackup\BackupAdmin directory is used by the Tivoli Storage Manager FastBack for Workstations client to download revisions and configurations. Nodes require read-only access to these directories:
Type | Name | Permission | Applies to |
---|---|---|---|
Allow | Users | Read, Execute | This folder, subfolders, and files |
Allow | Administrators | Full Control | This folder, subfolders, and files |
Traverse Folder / Execute Allow
List Folder / Read Data Allow
Read Attributes Allow
Read Extended Attributes Allow
Delete subfolders and files Allow
Delete Allow
Read Permission's Allow
This example, assumes that the Samba server is set up to share a directory named /fileservertest.
chmod o+wrxt /fileservertest/RealTimeBackup
chmod o+rx /fileservertest/RealTimeBackup/BackupAdmin
chown root /fileservertest/RealTimeBackup/BackupAdmin
In
the Samba configuration file (smb.conf), set
the create mask and directory mask parameters
to each specify 0700. For example:[fileservertest]
path = /fileservertest
writable = yes
create mask = 0700
directory mask = 0700