NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
User and group broken permissions
Hi, I am using latest OS 6.5.1 I setup a share called "torrents" I have two groups: users and famille famille group has one user: enfants In SMB Network access: users: r/w - famille: no acces...
FWIW, I did forward a link to this thread to a Netgear developer for comment. I'll send a reminder if I don't hear back.
It would be a useful thing if someone tried various settings, and posted the ACL and permissions that result in the file system. That can be done by any commmunity member who has SSH access enabled on their OS6 NAS.
That might also help focus this discussion into what specifically might need to be changed.
StephenB wrote:FWIW, I did forward a link to this thread to a Netgear developer for comment. I'll send a reminder if I don't hear back.
It would be a useful thing if someone tried various settings, and posted the ACL and permissions that result in the file system. That can be done by any commmunity member who has SSH access enabled on their OS6 NAS.
That might also help focus this discussion into what specifically might need to be changed.
Thank you StephenB
Can you detail the needed commands that I should run in SSH for a debugging ?
I already posted the output of specific "id -a" commands in SSH
Since we are at leat 3 people in the forum to reproduce the issue, it could be a generalized issue. Again, it clearly appeared somewhere between 6.4 and 6.5.1, maybe the 6.5.x as I recall 6.4.x builds were fine when I first migrated to OS 6 and setup my groups and permissions
Honestly I don't have time to work on it right now (and since my own shares are wide open, I am not directly affected).
I was thinking that people could create a small test share, apply the settings they want in file access and network access. Then capture the output of
getfacl /volume/sharename
ls -al /volume | grep sharename
ls -al /volume/sharename
cat /volume/._share/sharename/samba.conf
I think that ought to be everything needed to analyze the results of the settings in the GUI.
I will test and report back
Setup case 1:
test_share: a new share
test_group: a new group
test_user: a new user member of the test_group (no other groups membership)
GUI Network Settings:
test_group r/w
users r/w
admin r/w
test_user no_access
all others: no_access
GUI File Access
Folder owner (jack) r/w
Folder group (users) r/w
test_group r/w
users r/w
admin r/w
test_user no_access
all others: no_access
samba.conf
root@RNDU2000-1:~# cat /data/._share/test_share/samba.conf [test_share] path = /data/test_share comment = "" admin users = "+admin","Administrator" write list = "@test_group","@users","+admin","Administrator" valid users = "@test_group","@users","+admin","Administrator" follow symlinks = 1
getfacl
root@RNDU2000-1:~# getfacl /data/test_share getfacl: Removing leading '/' from absolute path names # file: data/test_share # owner: jack # group: users # flags: --t user::rwx user:admin:rwx group::rwx group:admin:rwx group:users:rwx group:test_group:rwx mask::rwx other::--- default:user::rwx default:user:admin:rwx default:group::rwx default:group:admin:rwx default:group:users:rwx default:group:test_group:rwx default:mask::rwx default:other::---
ls -al
root@RNDU2000-1:~# ls -al /data/test_share total 36 drwxrwx--T+ 1 jack users 50 Jul 12 22:41 . drwxr-xr-x 1 root root 254 Jul 12 20:32 .. -rwxrwx---+ 1 admin admin 11 Jul 12 22:41 test_access.txt
Access from a remote machine with test_user login
test_user can access the test_share folder, read its contents and open the text file
it has full read only access
expected: test_user should have no access to the share
Setup case 2
So that test_user stops being able to access test_share, we must uncheck all access rights from test_group from Network and File access tabs.
I couldn't reproduce the situation where setting the group users to r/w would force test_user to have r/w access even if it was give ro or no mount access
Setup case 3:
GUI Network Settings:
test_group ro
users r/w
admin r/w
jack r/w
test_user r/w
all others: no_access
GUI File Access
Folder owner (jack) r/w
Folder group (users) r/w
test_group ro
users r/w
admin r/w
jack r/w
test_user r/w
all others: no_access
samba.conf
root@RNDU2000-1:~# cat /data/._share/test_share/samba.conf
[test_share]
path = /data/test_share
comment = ""
admin users = "+admin","Administrator"
read list = "@test_group"
write list = "jack","test_user","@users","+admin","Administrator"
valid users = "jack","test_user","@test_group","@users","+admin","Administrator"
follow symlinks = 1
ls -al
root@RNDU2000-1:~# ls -al /data/test_share total 36 drwxrwx--T+ 1 jack users 50 Jul 12 22:41 . drwxr-xr-x 1 root root 254 Jul 12 20:32 .. -rwxrwx---+ 1 admin admin 11 Jul 12 22:41 test_access.txt
Actual behavior:
test_user still has read only access
expected: it should have r/w access
Variant:
to this case 3 setup, if I add rw access to test_group in both Network and File Access, it still has read only access
so, in this case, I found no was to give test_user the r/w access. Sounds like things are stuck for a wired reason
All above commands show a proper output as setup in GUI
Conclusion: the access rights behave randomly and are difficult to reproduce, but are always broken in some way
StephenB wrote:
I think that ought to be everything needed to analyze the results of the settings in the GUI.
You can also use smbstatus for SMB connections to confirm the username that you are connecting as.
I don't believe you can explicitly deny a user just because you took away read/write, but left the group they're in as read/write allowed.
You can also confirm what groups a user is in via the backend using cat /etc/group.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
