Assigning rights for folders does not want to work # Rechtevergabe für Ordner will nicht funktionieren

  • I've been trying to assign permissions to different users for a few days now without success, and I'm getting desperate with folder sharing and locking subfolders. The hard disk was formatted with ext4 on the PC and folders and files already exist.

    The following scenario

    Folder 1

    -- Folder 2

    --- Folder 3

    ---- Folder 4

    User A and user B should be able to use folder 1 as well as folder 2 including the files inside.

    User B should not have permission for folder 3 and thus also for folder 4.

    Access rights are set under "Data Storage --> Shared Folders" as follows:

    User A > Folder 1 > Read/Write

    User B > Folder 1 > Read/Write

    User B > Folder 3 > no access

    But user B has no access to all folders. I only ever manage to allow or block permissions to user A.

    User B does not react. What am I doing wrong when assigning permissions?

    Rights Folder 1

    Rights Folder 3


    Text in Deutsch

    Ich versuche nun schon seit einigen Tagen erfolglos verschiedenen Nutzern Rechte zu vergeben und verzweifle bei der Ordnerfreigabe und sperren von Unterordnern. Die Festplatte wurde am PC mit ext4 formatiert und es existieren schon Ordner und Dateien.

    Folgendes Szenario

    Ordner 1

    -- Ordner 2

    --- Ordner 3

    ---- Ordner 4

    Nutzer A und Nutzer B soll möglich sein, Ordner 1 sowie den Ordner 2 inklusive der darin liegenden Dateien zu nutzen.

    Nutzer B soll für Ordner 3 und damit auch für Ordner 4 keine Berechtigung haben.

    Zugriffsrechte sind unter "Datenspeicher --> Freigegebene Ordner" wie folgt gesetzt:

    Nutzer A > Ordner 1 > Lesen/Schreiben

    Nutzer B > Ordner 1 > Lesen/Schreiben

    Nutzer B > Ordner 3 > kein Zugang

    Nutzer B hat aber keinen Zugang zu allen Ordnern. Ich schaffe es immer nur dem Nutzer A Berechtigungen zu erlauben oder zu sperren.

    Nutzer B reagiert nicht. Was mache ich bei der Rechtevergabe falsch?

  • tlu1m

    Is this what you're trying to set up?

    At the terminal:

    There may be simpler/better ways to achieve your overall aim without using 4 four deep nested set of folders. What is your overall aim?

  • There is a hard drive on which there is already a useful folder structure.

    There are movies, music, documents, photos and much more.

    User A should have access to all folders.

    User B should have access to almost all folders, with a few exceptions.

    For example I have a folder Movies, in this folder there is a folder Comedies, a folder Horror, a folder Kids Movies, a folder Action Movies and a folder Fairy Tale Movies.

    I don't want user B to be able to access the horror movies folder, but I do want him to be able to access the rest.

    Of course I want to administrate the whole thing via the graphical user interface of openmediavault. I don't want much more than that.


    Text in Deutsch

    Es existiert eine Festplatte, auf der sich schon eine sinnvolle Ordnerstruktur befindet.

    Es gibt dort Filme, Musik, Dokumente, Fotos und vieles mehr.

    Nutzer A soll auf alle Ordner Zugriff haben.

    Nutzer B soll auf fast alle Ordner zugriff haben, bis auf vereinzelte Ausnahmen.

    Ich habe zum Beispiel einen Ordner Filme, in diesem befindet sich ein Ordner Komödien, ein Ordner Horror, ein Ordner Kinderfilme, ein Ordner Actionfilme und ein Ordner Märchenfilme.
    Nutzer B soll auf den Ordner Horrorfilme nicht zugreifen können, aber auf den Rest schon.

    Das ganze möchte ich natürlich über die grafische Oberfläche von openmediavault administrieren. Viel mehr will ich gar nicht.

    • Official Post

    But user B has no access to all folders. I only ever manage to allow or block permissions to user A.

    User B does not react. What am I doing wrong when assigning permissions?

    Okay. It's a bit of a special case. I think this should help you.…misc_docs:nas_permissions

  • There is a hard drive on which there is already a useful folder structure.

    There are movies, music, documents, photos and much more.

    Originally create outside of OMV? Or have your created the folder structure via OMV WebUI? How will the data be accessed, e.g. as windows shares or in another way?

    People will need to know what linux permissions these various folders have, how they appear in the "shared folder" list and how you intend to access/create the data ( windows share, ftp, torrent etc.. ) in order to assist further.

    For example, in the case of the movies folders, if each one was a separate "shared folder" accessed as a separate Windows share then you could simply use "privileges" to control which user account on OMV has access, assuming certain "shared folder" permissions. But people can only guess at a solution at the moment without fuller details of the existing folder structure and permissions.

    Whether you intended it or not using using Access Control Lists (ACL) is not recommended due to the additional complexities they introduce. At some stage you'll probably have to reset the perms on the folders you've experimented on, possibly requiring some action at the OMV terminal.

  • As already written, this hard disk already exists. It was originally formatted in ext4 under Linux and the folder structure was also set there. This should not be changed.

    I intend to share this disk on the local network as described above. To do this, I installed openmediavault on a computer I no longer need and connected the data hard drive via SATA. The sharing shall be done via smb:// (Samba). Access should be mainly Linux computers and Android phones that are on the network.

    However, not every user should be able to access everything.

    Now when I read your answers, it seems that this is not possible.

    Then what can I create users for on the openmediavault interface?


    Text in Deutsch

    Wie bereits geschrieben, existiert diese Festplatte schon. Sie wurde ursprünglich unter Linux in ext4 formatiert und auch dort die Ordnerstruktur festgelegt. Diese soll auch nicht verändert werden.

    Ich beabsichtige diese Festplatte im lokalen Netzwerk wie oben beschrieben freizugeben. Dazu habe ich auf einem nicht mehr benötigten Computer openmediavault installiert und die Daten-Festplatte über SATA angeschlossen. Die Freigabe soll über smb:// (Samba) erfolgen. Zugriff sollen hauptsächlich Linux Computer und Android Telefone haben, die sich im Netzwerk befinden.

    Es soll aber nicht jeder Nutzer auf alles zugreifen können.

    Wenn ich jetzt Ihre Antworten lese, scheint das nicht möglich zu sein.

    Wozu kann ich dann auf der openmediavault Oberfläche Benutzer anlegen?

    • Official Post

    Personally, I've always found permissions by user, to be extremely awkward and just use groups.

    Not looking super deep at this, but your folder structure gives anyone in "users" group r/w access... By default, all users are in the users group so I suspect that is why this user can still access the folders.

    Create a group you want to have access to everythinge... Add the users to that group who can access everything.

    Now, change those restricted folders from root:users to root:new_group with ACL, and make sure "other groups" is set to no access.

    As long as you do not put restricted users in "new_group", they shouldn't have access to the folder.

  • tlu1m Bringing a disk with pre-existing data into OMV is less straightforward than starting from scratch with a blank drive and creating "shared folders" etc.

    Take this small example. Screenshot shows some dirs on a ext4 filesystem created by a local user outside of OMV with the typical umask 0022 and where the user account automatically has a primary group of the same name.

    The disk is then physically attached to OMV and mounted. Examining the dirs at the CLI on OMV shows this:

    So before you even start to consider which of the movie folders is best chosen to be a "shared folder" in OMV, the permission now look odd. What happen to group "chris"? The change is simply because on my OMV the gid 1000 is something else. What happens if the account "chris" didn't even exist on OMV?

    Now add your original files into the mix as well, and the fact we've no idea what you're starting point was, or what you've picked as "shared folders" or what the various file/dirs permission are now ( including any ACL ) then it should be clearer why a lot more info is needed from you in order to sort things out.

  • macom Rest Perms plugin is not recursive - no idea what current overall state of OPs files and dirs are in. Already mention possible use of privs, but don't yet know which dirs in OP's folder structure have been picked as "shared folders"

    • Official Post

    Rest Perms plugin is not recursive

    It is

    openmediavault-resetperms/omv-resetperms at master · OpenMediaVault-Plugin-Developers/openmediavault-resetperms
    OpenMediaVault plugin for resetting shared folder permissions - openmediavault-resetperms/omv-resetperms at master ·…

  • KM0201

    I'll leave to you. Does your last post fit with OP requirement? Which of their existing folders should become shared folders?

    As already written, this hard disk already exists. It was originally formatted in ext4 under Linux and the folder structure was also set there. This should not be changed.

    • Official Post

    Yes it does. Unfortunately I just had something come up and I can't finish this

    OP, I'm not off work till Monday and I've got some long shifts.. I thought I could get this done before these yoyo's were calling me, but unfortunately not. I'll throw this together for you Monday night. Till then. I'm going to delete my post so as not to draw confusion.

    • Official Post

    I don't know how I get sucked into permission threads all the time, but I think this is just way over complicated by people. You're posting kinda sporadically, so I'll just show you how I do this, you can take it or leave it. Maybe someone will hit this in a search and it will help them.

    So first, this is a clean OMV install. Only thing I've done is create a folder called "Server" (it has default permissions, nothing changed.) Since you've done all this, I would 100% follow macom advice and install the reset permissions, and reset your permissions to default and clear all ACL's.. When you reset them, it should look like this. If you don't do this, I would not count on any of this working.

    Next, I created 3 users... for simplicity, I made them "name1, name2, etc.)

    Then I added my "Server" folder to SMB... Note, I took all defaults, nothing was changed.

    I then logged in to my SMB share as name1 and created 5 folders (Folder_A, Folder_B, etc.) Note: I'm using Linux as opposed to Windows, but it really should not change anything. By default, these folders, are all owned by "name1" so since there may be folders we don't want "name1" to have access to, we will address that with ACL in a moment.

    Now we go to Shared Folders, click the Server folder, and click the ACL icon. Scroll to the bottom and set the permissions as such. MAKE SURE TO CHECK THE REPLACE AND RECURSIVE BOXES:

    owner: root read/write/ex

    users: users read/write/ex

    others: none

    It should look like the below. You don't have to mess with anything at the top. Click Save

    Now, our permissions for all of our folders should be root:users, which again means all folders are owned by root, but you should be able to log in to SMB with any user, and read/write the folders. You can verify this with ls -l in the SSH session.

    In the next post, we'll start restricting access to our folders.

    • Official Post

    So now, we start setting up our access, which is really what the OP is trying to do. Remember earlier we created 5 folders, Folder_A, Folder_B, Folder_C, Folder_D, Folder_E

    We're gonna set up access like so:

    Folder_A and Folder_B: all users have read/write

    Folder_C: only name1 will have read/write

    Folder_D: name1 and name2 will have read/write

    Folder_E: no access for anyone

    So first Folders_A and Folders_B. We don't need to do anything to these folders since users in the "users" group have r/w access to them already, since as I mentioned ealier, by default all users are in the users group

    For Folder_C. We will create a group called "folderc" and add name1 to it.

    Now we go to Shared Folders, click on our "Server" folder, and then click on ACL. Next, at the top we will click the 'tree' icon and select Folder_C. Now scroll to the bottom, leave owner as root with r/w, group, set to folderc and leave at r/w, leave others at "none". If you already have data in these folders, check the replace and recursive boxes and click Save. It should look like below:

    Now if we go back to SMB and log in as "name2" they should not be able to access Folder_C, as the picture below shows (the top folder is "Folder_A, which this user has permission, on the bottom folder where I'm getting "Permission Denied' is Folder_C)

    Now for Folder_D, we'll let name1 and name2 have access to that one, no access for name3. Now if you log in as name2 or name 1, they will get into Folder_D but name2 will get permission denied. I should not need to show you anymore pics as it should be becoming clear what you need to do.

    Let's say for now, I don't want anyone having access to Folder_E. Again, just create a group "foldere" and do not put any users in said group. Then we set our permissions just like above but with foldere as the group and make sure that and recursive are checked and Save. Now, no user will have access to Folder_E, as there is no user in that group.

    Last but not least, say uncle name4 moves in, and he's pretty tech savy and needs access to everything. We create him a user, then go back to our groups and add him to each of the groups we've made. name4 will now have r/w on all the folders, including the previously restricted Folder_E.

    Here's a final look at our permissions on our folders when this is all done

    I probably made this sound 10x harder than it is, but once you get the hang of it, it is super easy to do what the OP is wanting with groups. I know ACL's are sort of frowned on here, but if you spend 30min understanding how to set group permissions properly with ACL's.. you'll probably never use user permissions again. If you really wanted to lock things down, you could create a group for each folder, then add/remove users to those groups as needed for whatever you're allowing/not allowing them to do

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!