NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
NooB share permissions help
I'm a novice with linux file permissions setting up a new 626x and I don't want to screw this up. I've read a number of topics and searched a bunch but I think i'm missing some fundamental things tha...
cmatsinger wrote:
I'm a novice with linux file permissions setting up a new 626x and I don't want to screw this up. I've read a number of topics and searched a bunch but I think i'm missing some fundamental things that I cannot clarify. I'm setting up several shares using SMB only with local users (no AD) that i'd like the following permissions for.
Archive - Admin users RW, regular Users read only
Tech - Admin RW, regular Users no access
I'd also like to not allow for ANY guest/anonymous access to any of these (not even seeing the shares are available)
Questions (let's start with Archive share)
Under Network Access, by default, Everyone group has RW. Because I want Users to have Read Only, should I uncheck Everyone and set Users group to Read Only?
The Allow Anonymous Access box is checked. Does unchecking this remove Guest access?
Yes to both. So uncheck anonymous, uncheck everyone, and set the user group to read-only,
cmatsinger wrote:
For File Acess, default owner/group is Guest. Should I change this to Admin? Root? ...
You can leave this just as it is. Network access alone will accomplish what you want, and generally speaking it is easier to administer. Note that users can change the file permissions from Windows (right-clicking on a file), but they can't change the network permissions.
The effective access rights in Windows are the intersection of network and file permissions. So if the network permission is read-only, then then write access will be denied, no matter what the file permissions are.
cmatsinger wrote:
I'm a novice with linux file permissions setting up a new 626x and I don't want to screw this up. I've read a number of topics and searched a bunch but I think i'm missing some fundamental things that I cannot clarify. I'm setting up several shares using SMB only with local users (no AD) that i'd like the following permissions for.
Archive - Admin users RW, regular Users read only
Tech - Admin RW, regular Users no access
I'd also like to not allow for ANY guest/anonymous access to any of these (not even seeing the shares are available)
Questions (let's start with Archive share)
Under Network Access, by default, Everyone group has RW. Because I want Users to have Read Only, should I uncheck Everyone and set Users group to Read Only?
The Allow Anonymous Access box is checked. Does unchecking this remove Guest access?
Yes to both. So uncheck anonymous, uncheck everyone, and set the user group to read-only,
cmatsinger wrote:
For File Acess, default owner/group is Guest. Should I change this to Admin? Root? ...
You can leave this just as it is. Network access alone will accomplish what you want, and generally speaking it is easier to administer. Note that users can change the file permissions from Windows (right-clicking on a file), but they can't change the network permissions.
The effective access rights in Windows are the intersection of network and file permissions. So if the network permission is read-only, then then write access will be denied, no matter what the file permissions are.
Thanks so much for the info. I'm still concerned about the file permissions. It just seems so counter-intuitive to leave file ownership with guest. Is there any kind of best practice to set this to admin or root? Well I appreciate it might be easier to administer, I'm willing to put in a little extra time for a little extra security. Thoughts?
cmatsinger wrote:
Thanks so much for the info. I'm still concerned about the file permissions. It just seems so counter-intuitive to leave file ownership with guest. Is there any kind of best practice to set this to admin or root? Well I appreciate it might be easier to administer, I'm willing to put in a little extra time for a little extra security. Thoughts?You can change the owner/group to admin/admin if you want (and then reset the file permissions in the share). But that won't improve your security. Network access controls are enough as long as all the files and folders in the share have the same access restrictions.
If you try to control access with file permissions, the usual result is that you end up with users being denied access to files that were created by other users.
Ok so I'll change the owner/group but leave permissions default. Thanks.
Now that ive covered share setup, onto my next question: So in /Archive, users are read only. I want a folder within /Archive that only Admin can access (Users have No Access.) Where do I set that? I'd rather not have separate shares for each difference in share access. Thoughts?
Also I should have probably mention that all users are on Mac, so permissions settings look a lot different than what you posted.
cmatsinger wrote:
Also I should have probably mention that all users are on Mac, so permissions settings look a lot different than what you posted.
Not sure what you mean by "look different than what I posted", since I didn't post anything about how they look in Windows. Though I did point out the windows users (and mac users) can change file permissions.
cmatsinger wrote:
I want a folder within /Archive that only Admin can access (Users have No Access.)
The simplest way is to set up a separate share for that folder and use network permissions as defined above. I get that you'd rather not do it that way, but it is the simplest and most secure.
The other way is for you to into Archive on your mac, and then set the file permissions from the Mac (not the NAS) to block access to the users group. I'm not a Mac user, so I don't know you'd do that. You can't do this from the NAS Web UI, because that doesn't let you set file permissions for a specific file or folder.
The reason why a separate share is better: Anyone who can write to the parent folder can change the subfolder permissions from their PC back so that the users group can access it. This could be intentional, or it could be inadvertent (user error). There's no way you'd even know that was done unless you go and look. Network permissions can only be changed from the web ui, so it is easier to control.
I guess in your specific case, these folks might have the admin password for the web UI anyway, but generally speaking it's much harder to keep the file permissions set the way you want them.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
