Understanding basic security / ACL on shared folders.

1. offizieller Beitrag

    Hi,


    I am a new user to the OMV, and am excited about the software. So much that I sold my QNAP TS251 straight ahead. I like that it is a Linux machine which I can dig into, and not just some nice closed box. So far I have only found very little bugs (newest 3.x release), will I will try to report at some other time. I can feel the configuration of services and access is rather different than used to, but its OK. I will learn :)
    But there is some basic in the security which I am missing - maybe someone can give a small comment it to help me understand...


    I have created a shared folder, Music, which should hold my music library for my Sonos system.
    Created a user, Sonos. Added to group Users.
    Created a SMB, AFP and FTP share for the shared folder, Music.


    If I go to the Shared Folder and click Privileges I have following settings - Sonos has Read/Write


    If I go to ACL I have following setting - Sonos has Read / Write


    I tried to give Privilees Read, and ACL Read / Write - which resulted in Read access..


    So simple questions :


    What is the different between Privileges with Read/Write and ACL with Read/Write?


    Should the Privelges set to highest and then downgraded to small in the ACL? Or what is best pratice here?


    Maybe this is already documented somewhere - in that case; can you point me to the information?


    Many thanks and best regards, K

    • Offizieller Beitrag
    Zitat von KVL

    Should the Privelges set to highest and then downgraded to small in the ACL? Or what is best pratice here?

    I don't use ACl's at all. I use File and Folder permissions, but even that's not enough if file and folder permissions don't match the share (which, in your case, I'm guessing will be Samba). Consider the following:


    "Owner" The owner is a user which will be, in the majority of cases, "root"
    "Group" This entry is a group which is, typically, "users". Whatever permission is assigned at this entry will be given to any member of the group "users".
    "Others" This entry is, literally, any user that is not specifically called out in "Owner" or is not in the group "users".


    In provisioning for network access note that if you want a Windows user to be able to access a SMB (Samba share) with "write"privileges, you should create a user with the same name and same password used in Windows, in OMV. That user will be added to the OMV users group by default.
    ______________________________________________________________________________


    First, when assigning permissions to network shares, note that Samba share permissions do not override the permissions assigned to the underlying shared folder. The same is also true of NFS. If the base folder has "others" with "none" (no access), the only users who will be able to access the share are the "Owner" "root" and users that are part of the group that is found under "group". (Samba / NFS can not override these permissions. Permissions must be set or changed on the base shared folder.)


    Second, note that file / folder permissions must match network share permissions. Further, note that layering folders can have an impact. I had a Samba issue where the base share folder had a different permission profile than the
    parent folder. (As noted below.)
    ....Name.................Name................Name
    (ServerFolders) .......(Music)............. .(Music)
    Parent Folder-------> Shared Folder------> Samba Network Share
    ......|.......................|........................|
    ......|.......................|........................|->Public "Yes", Set "Read Only"
    ......|.......................|
    ......|.......................|->"Owner" root read/write/exec "Group" users read/exec "Others" read/exec
    ......|
    ......|->"Owner" root read/write/exec "Group" users read/exec "Others" none



    In the above case, I couldn't access the Samba share, under the base shared folder, from a Windows machine. When I changed the parent folder (ServerFolders) permission for "Others" to read/exec, the Samba share worked fine. (For Public access, "Read Only" was intended.)


    The above is an example of how to make a media share available, read only, to everyone on the local LAN.


    Here's to hoping this gets you off to a good start.

    • Offizieller Beitrag
    Zitat von The Master

    That's what I call an explanation !

    :D Thanks!


    But, as you know, it's just a very brief overview when covering the permissions topic.


    I might use something like the above in a, "Getting Started with OMV" guide, to get a new user up and running with network shares. In the bottom line, usable network shares are the most important aspect of a NAS.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden