NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

chopin70's avatar
chopin70
Virtuoso
Jun 29, 2016

User and group broken permissions

Hi, I am using latest OS 6.5.1   I setup a share called "torrents" I have two groups: users and famille famille group has one user: enfants In SMB Network access: users: r/w - famille: no acces...
File Sharing
omicron_persei8's avatar
omicron_persei8
Luminary
Jun 30, 2016
I'm doing more testing. I presume something is wrong with samba.
I'll update the thread when done.
  • chopin70's avatar
    chopin70
    Virtuoso
    Jun 30, 2016

    I edit my post above yours: it resumes the real issues in the actual GUI and how they should be fixed

    The current way to setup permissions seems a complete mess if we look at it closer. It should be ways more clear and without contradictions

    • omicron_persei8's avatar
      omicron_persei8
      Luminary
      Jun 30, 2016

      RN312 running F/W 6.5.1

      I would expect that a user with a more specifc permission set would overrule the inherited permission from the group, but maybe I'm wrong about this.
      Nevertheless, with all testing below, I confirm that in some situations, permissions are not working properly.
      The permissions set on group "users" overrule the other permissions (even though a user can be removed from the group "users").
      In some situations, users don't inherit permissions from the group at all.
      See all testing below... Please let me know if any typo (it's a long text, so it can happen) or any suggestion on tuning the test.


      Test users and groups:

      user_users_no: primary group is users, no secondary group, no permission specified on the share
user_users_ro: primary group is users, no secondary group, read/only permission specified on the share
user_users_rw: primary group is users, no secondary group, read/write permission specified on the share
user_users_groupno_no: primary group is users, secondary group is groupno, no permission specified on the share
user_users_groupno_ro: primary group is users, secondary group is groupno, read/only permission specified on the share
user_users_groupno_rw: primary group is users, secondary group is groupno, read/write permission specified on the share
user_groupno_no: primary group is groupno, no secondary group, no permission specified on the share
user_groupno_ro: primary group is groupno, no secondary group, read/only permission specified on the share
user_groupno_rw: primary group is groupno, no secondary group, read/write permission specified on the share
user_users_groupro_no: primary group is users, secondary group is groupro, no permission specified on the share
user_users_groupro_ro: primary group is users, secondary group is groupro, read/only permission specified on the share
user_users_groupro_rw: primary group is users, secondary group is groupro, read/write permission specified on the share
user_groupro_no: primary group is groupro, no secondary group, no permission specified on the share
user_groupro_ro: primary group is groupro, no secondary group, read/only permission specified on the share
user_groupro_rw: primary group is groupro, no secondary group, read/write permission specified on the share
user_users_grouprw_no: primary group is users, secondary group is grouprw, no permission specified on the share
user_users_grouprw_ro: primary group is users, secondary group is grouprw, read/only permission specified on the share
user_users_grouprw_rw: primary group is users, secondary group is grouprw, read/write permission specified on the share
user_grouprw_no: primary group is grouprw, no secondary group, no permission specified on the share
user_grouprw_ro: primary group is grouprw, no secondary group, read/only permission specified on the share
user_grouprw_rw: primary group is grouprw, no secondary group, read/write permission specified on the share


      /etc/password:

      user_users_no:x:114:100::/home/user_users_no:/bin/false
      user_users_ro:x:115:100::/home/user_users_ro:/bin/false
      user_users_rw:x:116:100::/home/user_users_rw:/bin/false
      user_users_groupno_no:x:117:100::/home/user_users_groupno_no:/bin/false
      user_users_groupno_ro:x:118:100::/home/user_users_groupno_ro:/bin/false
      user_users_groupno_rw:x:119:100::/home/user_users_groupno_rw:/bin/false
      user_groupno_ro:x:120:102::/home/user_groupno_ro:/bin/false
      user_groupno_no:x:121:102::/home/user_groupno_no:/bin/false
      user_groupno_rw:x:122:102::/home/user_groupno_rw:/bin/false
      user_users_groupro_no:x:123:100::/home/user_users_groupro_no:/bin/false
      user_users_groupro_ro:x:124:100::/home/user_users_groupro_ro:/bin/false
      user_users_groupro_rw:x:125:100::/home/user_users_groupro_rw:/bin/false
      user_groupro_no:x:126:103::/home/user_groupro_no:/bin/false
      user_groupro_ro:x:127:103::/home/user_groupro_ro:/bin/false
      user_groupro_rw:x:128:103::/home/user_groupro_rw:/bin/false
      user_users_grouprw_no:x:129:100::/home/user_users_grouprw_no:/bin/false
      user_users_grouprw_ro:x:130:100::/home/user_users_grouprw_ro:/bin/false
      user_users_grouprw_rw:x:131:100::/home/user_users_grouprw_rw:/bin/false
      user_grouprw_no:x:132:105::/home/user_grouprw_no:/bin/false
      user_grouprw_ro:x:133:105::/home/user_grouprw_ro:/bin/false
      user_grouprw_rw:x:134:105::/home/user_grouprw_rw:/bin/false


      /etc/group:

      users:x:100:
      groupno:x:102:user_users_groupno_no,user_users_groupno_ro,user_users_groupno_rw
      groupro:x:103:user_users_groupro_no,user_users_groupro_ro,user_users_groupro_rw
      grouprw:x:105:user_users_grouprw_no,user_users_grouprw_ro,user_users_grouprw_rw


      Configured share permissions (excluding group "users"):

      (no) means that no checkbox is ticked
      (user): (permission set on share)
      Everyone: (no)
      users: (defined in different situations below)
      user_users_no: (no)
      user_users_ro: read/only
      user_users_rw: read/write
      user_users_groupno_no: (no)
      user_users_groupno_ro: read/only
      user_users_groupno_rw: read/write
      user_groupno_no: (no)
      user_groupno_ro: read/only
      user_groupno_rw: read/write
      user_users_groupro_no: (no)
      user_users_groupro_ro: read/only
      user_users_groupro_rw: read/write
      user_groupro_no: (no)
      user_groupro_ro: read/only
      user_groupro_rw: read/write
      user_users_grouprw_no: (no)
      user_users_grouprw_ro: read/only
      user_users_grouprw_rw: read/write
      user_grouprw_no: (no)
      user_grouprw_ro: read/only
      user_grouprw_rw: read/write


      Test Script (on separate Linux machine):

      #!/bin/bash
      for a_user in \
       user_noexist \
       user_users_no user_users_ro user_users_rw \
       user_users_groupno_no user_users_groupno_ro user_users_groupno_rw \
       user_groupno_no user_groupno_ro user_groupno_rw \
       user_users_groupro_no user_users_groupro_ro user_users_groupro_rw \
       user_groupro_no user_groupro_ro user_groupro_rw \
       user_users_grouprw_no user_users_grouprw_ro user_users_grouprw_rw \
       user_grouprw_no user_grouprw_ro user_grouprw_rw \
      ; do
       echo -n "User: ${a_user} -> "
       echo -n "Mount: "
       if (mount //testnas/share /mnt -o user=${a_user},password=password &> /dev/null); then
       echo -n "yes"
       echo -n ", Read: "
       if (ls /mnt &> /dev/null); then
       echo -n "yes"
       else
       echo -n "no"
       fi
       echo -n ", Write: "
       if (touch /mnt/file.empty 2> /dev/null); then
       echo -n "yes"
       else
       echo -n "no"
       fi
       umount /mnt &> /dev/null
       else
       echo -n "no"
       fi
       echo ""
       sleep 1
      done


      ---------------------------


      Situation 1) group "users" has read/write


      Samba permission on the test share:

      [share]
       path = /data/share
       comment = ""
       admin users = "+admin","Administrator"
       read list = "user_groupno_ro","user_groupro_ro","user_grouprw_ro","user_users_groupno_ro","user_users_groupro_ro","user_users_grouprw_ro","user_users_ro","@groupro"
       write list = "user_groupno_rw","user_groupro_rw","user_grouprw_rw","user_users_groupno_rw","user_users_groupro_rw","user_users_grouprw_rw","user_users_rw","@grouprw","@users","+admin","Administrator"
       valid users = "user_groupno_ro","user_groupno_rw","user_groupro_ro","user_groupro_rw","user_grouprw_ro","user_grouprw_rw","user_users_groupno_ro","user_users_groupno_rw","user_users_groupro_ro","user_users_groupro_rw","user_users_grouprw_ro","user_users_grouprw_rw","user_users_ro","user_users_rw","@groupro","@grouprw","@users","+admin","Administrator"


      Script output:

      User: user_noexist -> Mount: no
      User: user_users_no -> Mount: yes, Read: yes, Write: yes
      User: user_users_ro -> Mount: yes, Read: yes, Write: yes
      User: user_users_rw -> Mount: yes, Read: yes, Write: yes
      User: user_users_groupno_no -> Mount: yes, Read: yes, Write: yes
      User: user_users_groupno_ro -> Mount: yes, Read: yes, Write: yes
      User: user_users_groupno_rw -> Mount: yes, Read: yes, Write: yes
      User: user_groupno_no -> Mount: yes, Read: yes, Write: yes
      User: user_groupno_ro -> Mount: yes, Read: yes, Write: yes
      User: user_groupno_rw -> Mount: yes, Read: yes, Write: yes
      User: user_users_groupro_no -> Mount: yes, Read: yes, Write: yes
      User: user_users_groupro_ro -> Mount: yes, Read: yes, Write: yes
      User: user_users_groupro_rw -> Mount: yes, Read: yes, Write: yes
      User: user_groupro_no -> Mount: yes, Read: yes, Write: yes
      User: user_groupro_ro -> Mount: yes, Read: yes, Write: yes
      User: user_groupro_rw -> Mount: yes, Read: yes, Write: yes
      User: user_users_grouprw_no -> Mount: yes, Read: yes, Write: yes
      User: user_users_grouprw_ro -> Mount: yes, Read: yes, Write: yes
      User: user_users_grouprw_rw -> Mount: yes, Read: yes, Write: yes
      User: user_grouprw_no -> Mount: yes, Read: yes, Write: yes
      User: user_grouprw_ro -> Mount: yes, Read: yes, Write: yes
      User: user_grouprw_rw -> Mount: yes, Read: yes, Write: yes


      Configured vs effective share permissions (based on above results):

      (user): (permission set on share) -> (actual result) [expectation if different]
      Everyone: (no) -> no access
      users: read/write -> n/a
      user_users_no: (no) -> read/write
      user_users_ro: read/only -> read/write [expected read/only]
      user_users_rw: read/write -> read/write
      user_users_groupno_no: (no) -> read/write
      user_users_groupno_ro: read/only -> read/write [expected read/only]
      user_users_groupno_rw: read/write -> read/write
      user_groupno_no: (no) -> read/write [expected no access]
      user_groupno_ro: read/only -> read/write [expected read/only]
      user_groupno_rw: read/write -> read/write
      user_users_groupro_no: (no) -> read/write
      user_users_groupro_ro: read/only -> read/write [expected read/only]
      user_users_groupro_rw: read/write -> read/write
      user_groupro_no: (no) -> read/write [expected read/only]
      user_groupro_ro: read/only -> read/write [expected read/only]
      user_groupro_rw: read/write -> read/write
      user_users_grouprw_no: (no) -> read/write
      user_users_grouprw_ro: read/only -> read/write [expected read/only]
      user_users_grouprw_rw: read/write -> read/write
      user_grouprw_no: (no) -> read/write
      user_grouprw_ro: read/only -> read/write [expected read/only]
      user_grouprw_rw: read/write -> read/write


      ---------------------------


      Situation 2) group "users" has read/only


      Samba permission on the test share:

      [share]
       path = /data/share
       comment = ""
       admin users = "+admin","Administrator"
       read list = "user_groupno_ro","user_groupro_ro","user_grouprw_ro","user_users_groupno_ro","user_users_groupro_ro","user_users_grouprw_ro","user_users_ro","@groupro","@users"
       write list = "user_groupno_rw","user_groupro_rw","user_grouprw_rw","user_users_groupno_rw","user_users_groupro_rw","user_users_grouprw_rw","user_users_rw","@grouprw","+admin","Administrator"
       valid users = "user_groupno_ro","user_groupno_rw","user_groupro_ro","user_groupro_rw","user_grouprw_ro","user_grouprw_rw","user_users_groupno_ro","user_users_groupno_rw","user_users_groupro_ro","user_users_groupro_rw","user_users_grouprw_ro","user_users_grouprw_rw","user_users_ro","user_users_rw","@groupro","@grouprw","@users","+admin","Administrator"


      Script output:

      User: user_noexist -> Mount: no
      User: user_users_no -> Mount: yes, Read: yes, Write: no
      User: user_users_ro -> Mount: yes, Read: yes, Write: no
      User: user_users_rw -> Mount: yes, Read: yes, Write: yes
      User: user_users_groupno_no -> Mount: yes, Read: yes, Write: no
      User: user_users_groupno_ro -> Mount: yes, Read: yes, Write: no
      User: user_users_groupno_rw -> Mount: yes, Read: yes, Write: yes
      User: user_groupno_no -> Mount: yes, Read: yes, Write: no
      User: user_groupno_ro -> Mount: yes, Read: yes, Write: no
      User: user_groupno_rw -> Mount: yes, Read: yes, Write: yes
      User: user_users_groupro_no -> Mount: yes, Read: yes, Write: no
      User: user_users_groupro_ro -> Mount: yes, Read: yes, Write: no
      User: user_users_groupro_rw -> Mount: yes, Read: yes, Write: yes
      User: user_groupro_no -> Mount: yes, Read: yes, Write: no
      User: user_groupro_ro -> Mount: yes, Read: yes, Write: no
      User: user_groupro_rw -> Mount: yes, Read: yes, Write: yes
      User: user_users_grouprw_no -> Mount: yes, Read: yes, Write: yes
      User: user_users_grouprw_ro -> Mount: yes, Read: yes, Write: yes
      User: user_users_grouprw_rw -> Mount: yes, Read: yes, Write: yes
      User: user_grouprw_no -> Mount: yes, Read: yes, Write: yes
      User: user_grouprw_ro -> Mount: yes, Read: yes, Write: yes
      User: user_grouprw_rw -> Mount: yes, Read: yes, Write: yes


      Configured vs effective share permissions (based on above results):

      (user): (permission set on share) -> (actual result) [expectation if different]
      Everyone: (no) -> no access
      users: read/write -> n/a
      user_users_no: (no) -> read/only
      user_users_ro: read/only -> read/only
      user_users_rw: read/write -> read/write
      user_users_groupno_no: (no) -> read/only
      user_users_groupno_ro: read/only -> read/only
      user_users_groupno_rw: read/write -> read/write
      user_groupno_no: (no) -> read/only [expected no access]
      user_groupno_ro: read/only -> read/only
      user_groupno_rw: read/write -> read/write
      user_users_groupro_no: (no) -> read/only
      user_users_groupro_ro: read/only -> read/only
      user_users_groupro_rw: read/write -> read/write
      user_groupro_no: (no) -> read/only
      user_groupro_ro: read/only -> read/only
      user_groupro_rw: read/write -> read/write
      user_users_grouprw_no: (no) -> read/write
      user_users_grouprw_ro: read/only -> read/write [expected read/only]
      user_users_grouprw_rw: read/write -> read/write
      user_grouprw_no: (no) -> read/write
      user_grouprw_ro: read/only -> read/write [expected read/only]
      user_grouprw_rw: read/write -> read/write


      ---------------------------


      Situation 3) group "users" has (no) specified permissions


      Samba permission on the test share:

      [share]
       path = /data/share
       comment = ""
       admin users = "+admin","Administrator"
       read list = "user_groupno_ro","user_groupro_ro","user_grouprw_ro","user_users_groupno_ro","user_users_groupro_ro","user_users_grouprw_ro","user_users_ro","@groupro"
       write list = "user_groupno_rw","user_groupro_rw","user_grouprw_rw","user_users_groupno_rw","user_users_groupro_rw","user_users_grouprw_rw","user_users_rw","@grouprw","+admin","Administrator"
       valid users = "user_groupno_ro","user_groupno_rw","user_groupro_ro","user_groupro_rw","user_grouprw_ro","user_grouprw_rw","user_users_groupno_ro","user_users_groupno_rw","user_users_groupro_ro","user_users_groupro_rw","user_users_grouprw_ro","user_users_grouprw_rw","user_users_ro","user_users_rw","@groupro","@grouprw","+admin","Administrator"


      Script output:

      User: user_noexist -> Mount: no
      User: user_users_no -> Mount: no
      User: user_users_ro -> Mount: yes, Read: yes, Write: no
      User: user_users_rw -> Mount: yes, Read: yes, Write: yes
      User: user_users_groupno_no -> Mount: no
      User: user_users_groupno_ro -> Mount: yes, Read: yes, Write: no
      User: user_users_groupno_rw -> Mount: yes, Read: yes, Write: yes
      User: user_groupno_no -> Mount: no
      User: user_groupno_ro -> Mount: yes, Read: yes, Write: no
      User: user_groupno_rw -> Mount: yes, Read: yes, Write: yes
      User: user_users_groupro_no -> Mount: no
      User: user_users_groupro_ro -> Mount: yes, Read: yes, Write: no
      User: user_users_groupro_rw -> Mount: yes, Read: yes, Write: yes
      User: user_groupro_no -> Mount: no
      User: user_groupro_ro -> Mount: yes, Read: yes, Write: no
      User: user_groupro_rw -> Mount: yes, Read: yes, Write: yes
      User: user_users_grouprw_no -> Mount: yes, Read: yes, Write: yes
      User: user_users_grouprw_ro -> Mount: yes, Read: yes, Write: yes
      User: user_users_grouprw_rw -> Mount: yes, Read: yes, Write: yes
      User: user_grouprw_no -> Mount: yes, Read: yes, Write: yes
      User: user_grouprw_ro -> Mount: yes, Read: yes, Write: yes
      User: user_grouprw_rw -> Mount: yes, Read: yes, Write: yes


      Configured vs effective share permissions (based on above results):

      (user): (permission set on share) -> (actual result) [expectation if different]
      Everyone: (no) -> no access
      users: read/write -> n/a
      user_users_no: (no) -> no access
      user_users_ro: read/only -> read/only
      user_users_rw: read/write -> read/write
      user_users_groupno_no: (no) -> no access
      user_users_groupno_ro: read/only -> read/only
      user_users_groupno_rw: read/write -> read/write
      user_groupno_no: (no) -> no access
      user_groupno_ro: read/only -> read/only
      user_groupno_rw: read/write -> read/write
      user_users_groupro_no: (no) -> no access [expected read/only]
      user_users_groupro_ro: read/only -> read/only
      user_users_groupro_rw: read/write -> read/write
      user_groupro_no: (no) -> no access [expected read/only]
      user_groupro_ro: read/only -> read/only
      user_groupro_rw: read/write -> read/write
      user_users_grouprw_no: (no) -> read/write
      user_users_grouprw_ro: read/only -> read/write [expected read/only]
      user_users_grouprw_rw: read/write -> read/write
      user_grouprw_no: (no) -> read/write
      user_grouprw_ro: read/only -> read/write [expected read/only]
      user_grouprw_rw: read/write -> read/write

       

      • chopin70's avatar
        chopin70
        Virtuoso
        Jun 30, 2016

        Thank you for the deep testing

        Some of the expecttaions you specify are not true. The user permission is the ultimate decider

         

        Actually, members of any group can escalate their permissions above what is set by the group "users". This acts like expected if we are in ACL scheme (see below reference)

         

        However, the group "users" seems to impose its permissions as a minimum for other members, even outside of its group. The affected members, even if configured to have lower permissions, will inherit the higher permissions from the group "users"

        There is the huge confusion by the way permissions and groups/users are set in the GUI + the owner_user and owner_group

         

        Seems like a bug in the sources as the testing through SSH shows proper group/users access

         

        Maybe a tech support should read through this thread and consider thses suggestions:

        https://community.netgear.com/t5/Using-your-ReadyNAS/User-and-group-broken-permissions/m-p/1108161#M111999

         

        Note: in linux, users take precedence on groups which take precedence on others

         

        Reference:

        When a process tries to open a file, with traditional Unix permissions:

        • If the file's owning user is the process's effective UID, then the user permission bits are used.
        • Otherwise, if the file's owning group is the process's effective GID or one of the process's supplementary group ID, then the group permission bits are used.
        • Otherwise, the other permission bits are used.

        Only one set of rwx bits are ever used. User takes precedence over group which takes precedence over other. When there are access control lists, the algorithm described above is generalized:

        • If there is an ACL on the file for the process's effective UID, then it is used to determine whether access is granted.
        • Otherwise, if there is an ACL on the file for the process's effective GID or one of the process's supplementary group ID, then the group permission bits are used.
        • Otherwise, the other permission bits are used.

         

        I always assumed we are in the situation with ACL on files, since we define the access permissions on the share, which I assumed are applied to every file in the share

        The samba.conf file suggests we are in ACL situation

         

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More