NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Guest User and Group
On my newly installed RND31400 and recently upgraded to OS 6.5 I appear to have a Guest user (uid=99) and Guest group (gid=99).
admin@NAS02-24Devon:~$ id guest uid=99(guest) gid=99(guest) groups=99(guest)
Several add-ins (Transmission, btsync) created shares during the add-in installation for their use with guest being set as the default user and group.
But yet in FrontView Accounts->Users and Accounts->Groups the user and group "guest" are not visible.
Shouldn't I be able to see Guest as a user and a group listed? This so I know what's going on on my NAS. Then shouldn't I be able to disable globally anonymous access from the Accounts->Users tab? I understand Guest may be a reserved user / group (for use with anonymous access - so perhaps I shouldn't be able to delete this user / group.,
But as things are I didn't know the guest user / group existed - so I wasn't aware of the possibility of this security hole. And I didn't know the add-ins had opened Anonymous / Guest access to my NAS until I noticed new shares - there was no alert! Rather a security hole I feel.
Thoughts?
It is true that by default you can see all the shares with SMB (even ones you can't access).. That's because the permissions on the data volume itself allow this. As you know, "home" and "data" are set up differently (so they aren't shown unless you use admin credentials).
You can hide a share so it isn't shown,but then it isn't visible to anyone (unless they set up their PC to show hidden files).
I'm not sure why AFP isn't consistent.
ReadyNASNVUser wrote:
Suggestion: Wouldn't it be good, for transparency, if user and group guest were visible in FrontView?
It would be useful if all built-in accounts were listed (as read-only), so you'd know those accounts existed.
ReadyNASNVUser wrote:
Oughtn't you be able to use the "guest" user to create "anonymous" access - rather than having two differnt terms guest and anoymous in the UI?
Perhaps, though I'm not sure we need two ways to do this.
4 Replies
Replies have been turned off for this discussion
Of more concern while I have now managed to turn of guest access via AFP, I can still login as guest user via SMB (with no password!). Shares are visible despite "anonymous" access being disabled for both SMB and AFP "Network Access" - see screen shot:
You can see even my USB attached backup disk is visible, despite the fact that this only SMB "Network Access" from user "admin" (as set in FrontView).
On the good news side of things trying to mount one of these shares via SMB gives the following error - in this case when I tried to mount the share "media" while connected as "guest" over SMB
Please tell me how to turn off Guest Network ccess via SMB - I don't want guests being able to view available shares that I've not given guest / anonymous network access to! (or tell me this is a bug!)
This from a OS X 10.11.5 machine with all the latest patches installed, and a ReadyNAS 314 running OS 6.5.0
guest and admin are built-in accounts which cannot be deleted (so they are not listed in the web ui).
Can you provide a screenshot of the network access settings for a share that still is accessible with SMB as guest?
Is the share owned by guest?
Thanks StephenB.
None of the shares are mountable by user guest. As per the 2nd screenshot above - when trying to mount they all give this error.
What I'm surprised about is that although "anonymous" is unchecked in Network Access for all the shares in the 1st screenshot I can still see a list shares when connecting via SMB as guest.
Compare this to connecting using AFP - when I can't get any list of shares. Selecting "Guest" in the login dialog for AFP and clicking OK gets a "connection failed" message. With SMB selecting "Guest" in the login dialog gets a "successsful login" and displays the list of shares in the 1st screenshot - even though you can't then mount any of the shares.
As requested here's a screen shot of the network access settings for one of those shares "USB_HDD_5":
Thoughts on this difference between SMB and AFP?
Suggestion: Wouldn't it be good, for transparency, if user and group guess were visible in FrontView? Oughtn't you be able to use the "guest" user to create "anonymous" access - rather than having two differnt terms guest and anoymous in the UI?
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
