How to config the subfolder permission under SMB

1st Official Post

    Hi all,


    Could anyone give me hints how to config sub-folders permission under the main-folder of SMB ?


    I created the shared folder name as "Documents".

    Under the folder "Doucments", there are three sub-folders such as "DataA", "DataB" and "DataC".


    Meanwhile, I created 3 users for accessing (read and write) their sub-folders only.

    Users: A, B and C


    So, the paths of SMB share might be:

    /Docucments/DataA/ <-- only user A can access.

    /Docucments/DataB/ <-- only user B can access.

    /Docucments/DataC/ <-- only user C can access.

    Is it to create "Doucements" by WinSCP and setup the sub-folders under "Share Folder" and "CIFS /SMB" by ACL of OMV ?

    Sorry, I am a bit confusing.


    Thanks !

    Best to do everything through OMV and the use of ACLs is unnecessary and to be avoided.


    You can either set the permissions the same on each subfolder, eg- user root rwx, group users rwx, other none and then set a privilege on each folder for read/write userA, read/write userB etc. or you could set an exclusive permission on each folder such as user userA rwx, group none, other none and not set any privileges.

    Hi Krisbee,


    Thanks for your share.


    It means it is better to do all config via OMV6 UI.


    I have no idea how set the permission and collaborate the main share folder and the sub-folders under of it

    If I created the "Doucments" and set the permission likes

    1) user root rwx, 2) group users rwx, 3)other none.


    Then, create the subfolders "userA", "userB", "userC" and set the permission likes

    1) user root rw, 2) group users rw, 3)other none for each users.


    Is it correct ?

    However, OMV6 will show the share folders likes "Doucments", ""userA", "userB" and "userC" by MS Windows neighbour.


    I'd like OMV to show the main folder "Doucments" only,

    the users access their permitted share folder under "Doucments" via windows neighbour.


    Or, Hidden "Doucments" by OMV6 ?


    Thanks !

    OK, to do what you want, the folder to set up a SMB/CIFS share on is the Documents folder only. You still need to create the sub-folders via the webui as shared-folders under Documents, but no SMB/CIFS will be set up in these individual sub-folders.


    Set the perms on the Documents folder is as above.


    Set the perms on each of the individual sub-folders as:


    1) user userX rwx ,2) group none, 3) other none


    where userX is the id of the user granted access to that share.

    Hi Krisbee,


    I tried your recommended steps. However, it doesn't work.

    Both users can create and access other our user folders.

    It seems the sub-folder permission is inherited and controlled by the main-folder " Documents ".

    But , the Inherit permissions options has not been enabled.


    [Storage | Share Folder | Create]

    Name: Documents

    Relative path: Documents/

    Permission: admin: R/W, Users: R/W, Others: No access (RWXRWS---)


    Name:userA

    Relative path: Documents/userA/

    Permission: admin: R/W, Users: R/W, Others: No access (RWXRWS---)


    Name:userB

    Relative path: Documents/userB/

    Permission: admin: R/W, Users: R/W, Others: No access (RWXRWS---)


    [Storage | Share Folder | Privileges]

    Folder name: userA

    User: A (R/W), B (No access)

    Folder name: userB

    User: B (R/W), A (No access)


    [Service | SMB/CIFS | Shares | Create]

    Shared folder: Documents/

    Other settings are kept default.


    The result is user A can create file on both of sub-folders userA and userB.

    And, vice versa.


    Do you know what's wrong of my settings ?


    Thanks.

    • Official Post
    Quote from Krisbee

    You didn't follow my steps. For example sub-folder Documents/userB/ should have perms:


    Permission: userB: R/W, Users: R/W, Others: No access (RWX------)

    The problem with that is (if I'm reading this correctly)...


    If he created the users in the webUI... all users by default are in the users group. So in that scenario, every user would have access to the userB folder.


    Personally, I think assigning permissions via groups is way easier than assigning by user.. but that's just me.

    KM0201 Quite right, and is not what I said previously and is an obvious typo as you can see from what's in the brackets.


    It should of course read as follows and #6 is now corrected.


    Permission: userB: R/W, Users: No access, Others: No access (RWX------)


    The OP's share path is the level above the sub-folders, group perms will not help in this case

    Edited once, last by Krisbee: fingers and brain not in sync ().

    Hi Krisbee,

    Is it convenient to you to capture the screen buttons where to set the permission of folders and sub-folder ?

    Since, I feel it is hard to manage them by GUI of OMV6.


    Permission: userB: R/W, Users: No access, Others: No access (RWX------) (owner, group, others)


    The folder rights, which I mentioned, is read by using WinSCP.


    Is it needed to touch ACL ? However, it doesn't allow me to save with error.


    Or, could you provide the relative link and let me refer to ?


    Thanks.

    Quote from KM0201

    The problem with that is (if I'm reading this correctly)...


    If he created the users in the webUI... all users by default are in the users group. So in that scenario, every user would have access to the userB folder.


    Personally, I think assigning permissions via groups is way easier than assigning by user.. but that's just me.

    Hi KM0201,


    Could you help to elaborate the idea of groups more detail ?

    If I have 10 users, I need to create 10 groups and assign the users to them ?


    Thanks.

    Reading folders rights from WInSCP is OK as long as you are clear about the folder owner. Setting folder rights via WinSPC can be a problem as the "owner" for any new folder created is the same user whose credentials where used to make the connection to OMV, which in your case is probably root.


    I may have mis-understood what KM0201 meant "by assigning permissions via groups". I would call this "granting" permission via groups. In other words it is whether a given user is, or is not, a member of a specified group which determines whether that user is granted access to a particular folder or file.


    As all local user accounts added via the webui are by default in the users group, is this an alternative permission scheme?


    For Documents:


    Permission: admin: R/W, Users: R/W, Others: No access (RWXRWS---) (owner, group, others)


    For each sub-folder:


    Permission: admin R/W, Users: R/W, Others: No access (RWXRWS----) (owner, group, others)


    For each sub-folder you must set a "read/write" privilege for the single userX so that only one specified user can access the folder. But also a "none" privilege for all other users. Eg for three users, you'd set the privileges as:


    userA - read/write

    userB - none

    userC - none


    on the sub-folder for exclusive use of userA.


    In this scheme , all the sub-folders will be visible to any user with an account on OMV under the documents folder but will only have access to what is meant to be their own sub-folder.


    This scheme is more cumbersome than just making each sub-folder owned by the user that requires exclusive use.

    And more importantly does not work because it's not the sub-folders that are shared but the documents folder, so sub-folder privileges are ignored. It could work if the share paths were the sub-folders and not the document folder.


    To answer your other question about groups. In this case, you don't need to create additional groups.


    PS Apologies for the piecemeal appearance and edits ( too many interruptions at home ) and any confusion caused to the OP or others.

    Edited 4 times, last by Krisbee: fix error .... ().

    Hi Krisbee,


    Thank you so much for your advice and experience share.

    I will re-try it with using two schemes.


    Besides, I hope I might know the exactly right of screens for Permission Settings

    (Share Folder, CIFS/SMB share and Users ) by OMV6 GUI.


    Do you know where is the screen of OMV6 to set the folder owned by users ?

    I tried to go through all setting pages of OMV6.

    The options of folder owner seems to be located on ACL page.

    But, does it not recommend to touch it ?


    Thanks.

    lee.tom Please ignore scheme 2 for now. I'm posting screen grabs for scheme 1 now. You're correct that the ACL Page is where you can change folder owner. The recommendation to avoid ACLs refers to settings that can be made in the top half of the screen. You will be using the bottom half the the screen to change standard Linux permissions.


    Folder that will be shared:


    Set privileges on the older that will be shared by SMB/CIFS:



    Create a sub-folder:




    Change perms on sub-folder:



    Repeat for each sub-folder


    Create SMB/CIFS share ....


    Test in windows, connection with UserA name & password:


    • Official Post

    I've been extremely busy and just now had time to get back to this.

    I'm not really sure why your'e saying what I suggested doesn't work.. You DO have to use ACL's but this is not difficult (which I generally would not recommend, but just don't mix them with permissions).... I'll detail in the next post.

    OP... I don't use Windows, but unless Windows is doing something with SMB that Linux does not, what you want to do is entirely possible with ACL's and groups, just like I said... but.. DO NOT mix permissions and ACL's on these folders, use one or the other.


    So, First, I created a folder called Documents, and then created sub folders under Documents for 3 uses (joe, john, and jane)




    Next, I created my 3 users, then created 3 groups (same as usernames) and made sure those users were in said groups). I put them in SSH as well, which isn't necessary I just did it for ease of use while I was testing this. When you're done, it should look something like this (again you don't need them in SSH group, I just done it for ease of testing):


    Users section:


    Groups section:




    Next, I went back to the shared folders section, and clicked on Documents, and then ACL.. I then scrolled down and set my ACL on the Documents folder as such:

    Note the top, NOTHING is in yellow under permissions, at the bottom, Root has read/write/execute and users has read/write/execute, and "others" is set to read/execute. Leave the "replace" checkmark checked, and save.


    Next, I started on my user folders...

    I clicked shared folders, clicked on "jane" and then clicked ACL.

    Again, note the top all permissions are OFF (ie, not highlighted). Scroll down to ACL

    owner is root with r/w/e
    group is jane, with r/w/e
    others: is set to none

    Again, leave the "replace" and "recursive" checkmark in place and save.

    Repeat as necessary for each of your users on each of their folders.. The only difference will be to make sure your group is set to the username you want to access that folder.

    After that, first I SSH'd my server as "joe" to make sure my permissions were correct. I created a "test-joe" file in this folder and verified joe has read/write permissions on his folder. The below shows my permissions are correct, as joe can write to the "joe" folder, but has no permissions on john or jane's folders..


    Code
    joe@omv6-test:~$ cd /srv/dev-disk-by-uuid-2c3b29d8-a29a-474f-b409-d619339d8e75/Documents/
joe@omv6-test:/srv/dev-disk-by-uuid-2c3b29d8-a29a-474f-b409-d619339d8e75/Documents$ ls
jane  joe  john
joe@omv6-test:/srv/dev-disk-by-uuid-2c3b29d8-a29a-474f-b409-d619339d8e75/Documents$ cd joe
joe@omv6-test:/srv/dev-disk-by-uuid-2c3b29d8-a29a-474f-b409-d619339d8e75/Documents/joe$ touch test-joe
joe@omv6-test:/srv/dev-disk-by-uuid-2c3b29d8-a29a-474f-b409-d619339d8e75/Documents/joe$ cd /srv/dev-disk-by-uuid-2c3b29d8-a29a-474f-b409-d619339d8e75/Documents/john
-bash: cd: /srv/dev-disk-by-uuid-2c3b29d8-a29a-474f-b409-d619339d8e75/Documents/john: Permission denied
joe@omv6-test:/srv/dev-disk-by-uuid-2c3b29d8-a29a-474f-b409-d619339d8e75/Documents/joe$ cd /srv/dev-disk-by-uuid-2c3b29d8-a29a-474f-b409-d619339d8e75/Documents/jane/
-bash: cd: /srv/dev-disk-by-uuid-2c3b29d8-a29a-474f-b409-d619339d8e75/Documents/jane/: Permission denied
joe@omv6-test:/srv/dev-disk-by-uuid-2c3b29d8-a29a-474f-b409-d619339d8e75/Documents/joe$

    and just to be sure, I tested with "john" and "jane" as well and verified that my permissions are set as I want them. As you can see, john can only access john's folder, and jane can only access jane's folder at the CLI level



    Now that I've verified my permissions are correct, and only the proper users can write to their respective folders... I added the "Documents" folder to SMB and enabled the SMB service (note, I didn't change anything and just left everything default)

    Now, this is the only place where our situations differ... I don't use Windows and haven't in about 12-13yrs... so unless Linux and Windows handle SMB shares completely different, this worked just fine for me...


    First, I navigated to my smb server, I saw my Documents folder, I clicked on it and was prompted for a log in, for this test, I logged in as jane


    Once logged in, I can clearly see all 3 users folders


    Since I logged in as "jane" I clicked on the jane folder, and can clearly see the "test-jane" file I made at the CLI level. I can also create "New Folder" there... so I have r/w over SMB


    Finally, since I'm logged in as Jane, I tried to browse and "Joe"s folder. The folder is blank, despite the "test-joe" file I made there earlier. If I try to create a folder, I get permission denied.

    Sorry, hit my image limit for that post...

    Next, I logged out of my SMB server as "jane" and logged back in as "joe". As you can see below, I now see the "test-joe" file, and was able to create "New Folder" in joe's folder




    Next, I clicked on Jane's folder (remember I'm now logged in as Joe)... and you'll see her folder appears empty to me despite what I clearly put in there earlier, and if I try to write to it, I get permission denied...



    And that... is how you assign permissions by group.

    KM0201 I probably should have said "it doesn't help to keep it simple in this case", as obviously access can be granted via group membership when required.


    The OP asked in a follow up question about having to create an additional group for each user and that to me is a downside of your scheme, particularly when you have many users. It just seems far more natural that file/folders created by say "jane" are owned by "jane" and not "root".


    Linux distros generally use the "user private group" idiom, auto creating a primary group of the same name for every user account added to the system and membership of the secondary group "users" is optional . OMV stands that on its head and it doesn't always work in your favour.


    As an aside, it's a pity that the design of the webUI means people often refer to ACLs when they really mean standard Linux permissions. I agree it's a mouthful to always say, "use the ACL page to set the standard Linux permission on ...", but it can avoid a lot of misunderstanding.

    • Official Post
    Quote from KM0201

    I don't use Windows, but unless Windows is doing something with SMB that Linux does not

    No it doesn't, but Kudos to you for working all this out, I've been following this thread with interest, but I was also wondering whether it would be possible to a redirect from the 'home' folder created/set in smb to the subfolder under documents. This would be similar to a Windows Server AD user documents folder.


    EDIT: My bad (I don't use this anyway) user home directory is under user management -> settings

    • Official Post
    Quote from geaves

    No it doesn't, but Kudos to you for working all this out, I've been following this thread with interest, but I was also wondering whether it would be possible to a redirect from the 'home' folder created/set in smb to the subfolder under documents. This would be similar to a Windows Server AD user documents folder.


    EDIT: My bad (I don't use this anyway) user home directory is under user management -> settings

    I had briefly considered that Home Folders might be the easier way to handle this. ACL's are not horrible when used properly, and not in conjunction with permissions. I used to use ACL's as all of my permissions were assigned by group. Then I got heavy into docker and it was easier to assign by users... but I still use permissions by group/ACL's on some folders.


    The other nice thing about doing it this way.. Let's say the subfolders of "Documents" is I don't know.. folders that kids are putting documents for homework or something else that needed to be oversaw by parents/supervisors.


    You could just create a "Dad" account, put Dad in each of those groups... and if Dad logs in to SMB, he has full access to all 3 of those sub folders.

    • Official Post
    Quote from Krisbee

    KM0201

    As an aside, it's a pity that the design of the webUI means people often refer to ACLs when they really mean standard Linux permissions. I agree it's a mouthful to always say, "use the ACL page to set the standard Linux permission on ...", but it can avoid a lot of misunderstanding.


    I'd agree here.. but... having helped/supported this software for a long time... a lot of these folks (maybe a majority) are complete Linux neophytes... so I just try to keep it simple and stick to verbage/instructions that are in line with the webUI.


    I've always said votdev has to write the software for "the lowest common denominator".. so while sometimes things may seem silly to a more experienced user like you or me, a new user... it keeps them from getting into trouble or may help with simplicity.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!

Register Yourself Login