Folder permissions, ACL, again

  • Just getting into folder permissions and I have a few questions so far.
    When adding a shared folder I have to set its basic permissions of owner/group/others. That is clear. Right after creating the folder I can go to ACL extra options. Do these options correspond to what I've setup when adding the folder? So I could for example change the folder group here from users to lets say 'mediaUsers' and give all of them the permission they should have? Am I correct?


    I furtheremore noticed that I somehow cant access a folder via SMB share what I have read/write privileges for. As soon as I grant myself execution privileges, I can. Could anyone explain that behavior?


    Thanks! :)




    EDIT:


    So for what do U guys actually use the privileges Button? I read many of you are using only that, but that means that you must grant everyone all privileges on system permission level don't you? Wouldn't it be way more secure to grant only the privileges needed for every user/group on system level?


    Example1: I have a shared folder called 'user2'. Only user user2 should be able to access that folder.
    So I would set system permissions to Admins: read/write; Users: no access; others: no access; And in ACL settings I would grant only user2 full privileges. No further settings in the "Privileges" box needed since system privileges totally match my needs.(?)


    Example2: I have a shared folder called 'media'. Only users in the group mediaGroup should have access to it. So I create that folder setting system permissions to Admins: read/write; Users: read/write; others: no access; And in the ACL settings I would change the assigned group of that folder to mediaGroup with full privileges. No further settings in the "Privileges" box needed since system privileges totally match my needs.(?)


    What are your thoughts on that?

    • Offizieller Beitrag

    None of your examples seem to need any use of ACLs, just the old traditional mechanisms for access rights.


    Just assign the right ownerships, group memberships and access rights, and you are done.


    But then I don't use Windows or CIFS, so I could be wrong?

  • None of your examples seem to need any use of ACLs, just the old traditional mechanisms for access rights.


    Just assign the right ownerships, group memberships and access rights, and you are done.


    But then I don't use Windows or CIFS, so I could be wrong?


    Okay but you agree that using that Privileges Box for omv services is basically not needed this way?
    And how could I assign ownership and group membership? I can find it only at ACL settings.


    Thanks!

    • Offizieller Beitrag

    Shared folders have owner "root" and group "users" when created in the GUI of OMV.
    Users are members of the group "users" when created in the GUI of OMV.


    So for SMB and other services it is enough to use privileges, to give the users read/write or only read privileges to shared folders.

    • Offizieller Beitrag

    I use the OMV GUI to add or modify users and groups and group memberships. I use the command line or Midnight Commander to set owner and access rights on files and folders, other than the OMV defaults. If I really need to. I very rarely need to.


    I have never used ACLs.


    The plugin resetperm is handy sometimes, to reset the default permissions.

  • Shared folders have owner "root" and group "users" when created in the GUI of OMV.
    Users are members of the group "users" when created in the GUI of OMV.


    So for SMB and other services it is enough to use privileges, to give the users read/write or only read privileges to shared folders.


    Yeah but there is that powerful linux permission system, so why should one just set almost everything to "users read/write" and then using an additional "privileges" manager? In the manner of security I totally get the point of using linux permission system, so why getting almost rid of it and its advantages by saying "it is enough to use privileges"?

    • Offizieller Beitrag

    why getting almost rid of it and its advantages by saying "it is enough to use privileges"?

    Many users have messed up their system by mixing privileges and ACL



    In the manner of security I totally get the point of using linux permission system

    Where do you see an issue regarding security?
    OMV is designed to have one admin and several users. Users are intended to access data via services like SMB, not by CLI. Access rights for services are managed by privileges per user.

  • Okay I think i get your point. I found it just a bit confusing because since you have to be aware of correct system permissions, anyway.. I was wondering why one should not do everything with that. Security might not be an issue. It just feels a bit like that. But yeah it is not about feeling..

  • ...
    Where do you see an issue regarding security?


    ...


    Here it is: Using user1, a SSH group member, to connect via SFTP I can access private shared folders of other users. Should actually be forbidden regarding the settings in the omv privileges. May be a better way not using that omv privileges at all..

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!