Hi,I am using latest OS 6.5.1 I setup a share called "torrents"I have two groups: users and famillefamille group has one user: enfantsIn SMB Network access: users: r/w - famille: no access - enfants: no accessIn file access: same setup However, the user "enfants" still has r/w access on the torrents share Even if I set them to read only, still they have r/w accessThis use to work before on early 6.4.x versions, last time I checked I tried to reset permissions, but no fixAs soon as the group users has ro permission, "enfants" gets r/o access, despite it is not a membrer of that group

I have created:user_users member of usersuser_both_groups member of users, test_groupuser_test_group member of test_grouptest_share: users r/w, everything else at noI can write to test_share from user user_test_group, which is not normal.Local users & groups are ok.Interestingly, if I run pdbedit -L -v, I see all three users with the same primary group SID. But I don't know how to read the output of that command.

Many thanks for your confirmationThis confirms that something is going very nasty at permissions level with the new upadates. The group users is taking over every user permissions. Groups became meaningless too as the group users is imposing all permissions. Currently, the only fix is to deny groups any permission and setup separately the users. This puts the light on a complex and non sense users/groups permissions setup:what is the meaning of being able to setup separately the permissions of owner_user + the corresponding user and owner_group + corresponding group ? Which one will have the priority if we setup owner_user and the corresponding user differently ?what is the point of setting up group permissions if users of the actual group will have by default no read and no write access ? To make things meaningful and obvious, we need the following:remove the unclear and redundant way allowing to set up two different access permissions for the same members/groups as in point 1in addition to the ro and rw options, add an option "inherit group permissions". That way, it is clear that: - nothing is checked gives no mount access - ro or rw if we need exceptions for the user. Else, "inherit group permissions" set by default for new users of a given group - if we modify an existing group permissions, ask if we want to modify permissions for all its existing members or not (across all shares) - if we modify the group for a given a user, ask if the user permissions should be changed to inherit the new group permissions, for all the shares Actual situation is a total confusion. Not surprising that it ends to teh current inacceptable situation. I really appreciate the great work done with the support team for ReadyNAS. They gave us uptodate options on legacy years-old hardware.However, messing up a linux build to the level of breaking its basics, users and groups permissions, is something rather unbelievable... Hope this will be fixed asap and my suggestions to make things more linux structured considered rapidly

I'm doing more testing. I presume something is wrong with samba.I'll update the thread when done.

RN312 running F/W 6.5.1I would expect that a user with a more specifc permission set would overrule the inherited permission from the group, but maybe I'm wrong about this.Nevertheless, with all testing below, I confirm that in some situations, permissions are not working properly.The permissions set on group "users" overrule the other permissions (even though a user can be removed from the group "users").In some situations, users don't inherit permissions from the group at all.See all testing below... Please let me know if any typo (it's a long text, so it can happen) or any suggestion on tuning the test.Test users and groups:user_users_no: primary group is users, no secondary group, no permission specified on the share user_users_ro: primary group is users, no secondary group, read/only permission specified on the share user_users_rw: primary group is users, no secondary group, read/write permission specified on the share user_users_groupno_no: primary group is users, secondary group is groupno, no permission specified on the share user_users_groupno_ro: primary group is users, secondary group is groupno, read/only permission specified on the share user_users_groupno_rw: primary group is users, secondary group is groupno, read/write permission specified on the share user_groupno_no: primary group is groupno, no secondary group, no permission specified on the share user_groupno_ro: primary group is groupno, no secondary group, read/only permission specified on the share user_groupno_rw: primary group is groupno, no secondary group, read/write permission specified on the share user_users_groupro_no: primary group is users, secondary group is groupro, no permission specified on the share user_users_groupro_ro: primary group is users, secondary group is groupro, read/only permission specified on the share user_users_groupro_rw: primary group is users, secondary group is groupro, read/write permission specified on the share user_groupro_no: primary group is groupro, no secondary group, no permission specified on the share user_groupro_ro: primary group is groupro, no secondary group, read/only permission specified on the share user_groupro_rw: primary group is groupro, no secondary group, read/write permission specified on the share user_users_grouprw_no: primary group is users, secondary group is grouprw, no permission specified on the share user_users_grouprw_ro: primary group is users, secondary group is grouprw, read/only permission specified on the share user_users_grouprw_rw: primary group is users, secondary group is grouprw, read/write permission specified on the share user_grouprw_no: primary group is grouprw, no secondary group, no permission specified on the share user_grouprw_ro: primary group is grouprw, no secondary group, read/only permission specified on the share user_grouprw_rw: primary group is grouprw, no secondary group, read/write permission specified on the share/etc/password:user_users_no:x:114:100::/home/user_users_no:/bin/falseuser_users_ro:x:115:100::/home/user_users_ro:/bin/falseuser_users_rw:x:116:100::/home/user_users_rw:/bin/falseuser_users_groupno_no:x:117:100::/home/user_users_groupno_no:/bin/falseuser_users_groupno_ro:x:118:100::/home/user_users_groupno_ro:/bin/falseuser_users_groupno_rw:x:119:100::/home/user_users_groupno_rw:/bin/falseuser_groupno_ro:x:120:102::/home/user_groupno_ro:/bin/falseuser_groupno_no:x:121:102::/home/user_groupno_no:/bin/falseuser_groupno_rw:x:122:102::/home/user_groupno_rw:/bin/falseuser_users_groupro_no:x:123:100::/home/user_users_groupro_no:/bin/falseuser_users_groupro_ro:x:124:100::/home/user_users_groupro_ro:/bin/falseuser_users_groupro_rw:x:125:100::/home/user_users_groupro_rw:/bin/falseuser_groupro_no:x:126:103::/home/user_groupro_no:/bin/falseuser_groupro_ro:x:127:103::/home/user_groupro_ro:/bin/falseuser_groupro_rw:x:128:103::/home/user_groupro_rw:/bin/falseuser_users_grouprw_no:x:129:100::/home/user_users_grouprw_no:/bin/falseuser_users_grouprw_ro:x:130:100::/home/user_users_grouprw_ro:/bin/falseuser_users_grouprw_rw:x:131:100::/home/user_users_grouprw_rw:/bin/falseuser_grouprw_no:x:132:105::/home/user_grouprw_no:/bin/falseuser_grouprw_ro:x:133:105::/home/user_grouprw_ro:/bin/falseuser_grouprw_rw:x:134:105::/home/user_grouprw_rw:/bin/false/etc/group:users:x:100:groupno:x:102:user_users_groupno_no,user_users_groupno_ro,user_users_groupno_rwgroupro:x:103:user_users_groupro_no,user_users_groupro_ro,user_users_groupro_rwgrouprw:x:105:user_users_grouprw_no,user_users_grouprw_ro,user_users_grouprw_rwConfigured share permissions (excluding group "users"):(no) means that no checkbox is ticked(user): (permission set on share)Everyone: (no)users: (defined in different situations below)user_users_no: (no)user_users_ro: read/onlyuser_users_rw: read/writeuser_users_groupno_no: (no)user_users_groupno_ro: read/onlyuser_users_groupno_rw: read/writeuser_groupno_no: (no)user_groupno_ro: read/onlyuser_groupno_rw: read/writeuser_users_groupro_no: (no)user_users_groupro_ro: read/onlyuser_users_groupro_rw: read/writeuser_groupro_no: (no)user_groupro_ro: read/onlyuser_groupro_rw: read/writeuser_users_grouprw_no: (no)user_users_grouprw_ro: read/onlyuser_users_grouprw_rw: read/writeuser_grouprw_no: (no)user_grouprw_ro: read/onlyuser_grouprw_rw: read/writeTest Script (on separate Linux machine):#!/bin/bashfor a_user in \ user_noexist \ user_users_no user_users_ro user_users_rw \ user_users_groupno_no user_users_groupno_ro user_users_groupno_rw \ user_groupno_no user_groupno_ro user_groupno_rw \ user_users_groupro_no user_users_groupro_ro user_users_groupro_rw \ user_groupro_no user_groupro_ro user_groupro_rw \ user_users_grouprw_no user_users_grouprw_ro user_users_grouprw_rw \ user_grouprw_no user_grouprw_ro user_grouprw_rw \; do echo -n "User: ${a_user} -> " echo -n "Mount: " if (mount //testnas/share /mnt -o user=${a_user},password=password &> /dev/null); then echo -n "yes" echo -n ", Read: " if (ls /mnt &> /dev/null); then echo -n "yes" else echo -n "no" fi echo -n ", Write: " if (touch /mnt/file.empty 2> /dev/null); then echo -n "yes" else echo -n "no" fi umount /mnt &> /dev/null else echo -n "no" fi echo "" sleep 1done---------------------------Situation 1) group "users" has read/writeSamba permission on the test share:[share] path = /data/share comment = "" admin users = "+admin","Administrator" read list = "user_groupno_ro","user_groupro_ro","user_grouprw_ro","user_users_groupno_ro","user_users_groupro_ro","user_users_grouprw_ro","user_users_ro","@groupro" write list = "user_groupno_rw","user_groupro_rw","user_grouprw_rw","user_users_groupno_rw","user_users_groupro_rw","user_users_grouprw_rw","user_users_rw","@grouprw","@users","+admin","Administrator" valid users = "user_groupno_ro","user_groupno_rw","user_groupro_ro","user_groupro_rw","user_grouprw_ro","user_grouprw_rw","user_users_groupno_ro","user_users_groupno_rw","user_users_groupro_ro","user_users_groupro_rw","user_users_grouprw_ro","user_users_grouprw_rw","user_users_ro","user_users_rw","@groupro","@grouprw","@users","+admin","Administrator"Script output:User: user_noexist -> Mount: noUser: user_users_no -> Mount: yes, Read: yes, Write: yesUser: user_users_ro -> Mount: yes, Read: yes, Write: yesUser: user_users_rw -> Mount: yes, Read: yes, Write: yesUser: user_users_groupno_no -> Mount: yes, Read: yes, Write: yesUser: user_users_groupno_ro -> Mount: yes, Read: yes, Write: yesUser: user_users_groupno_rw -> Mount: yes, Read: yes, Write: yesUser: user_groupno_no -> Mount: yes, Read: yes, Write: yesUser: user_groupno_ro -> Mount: yes, Read: yes, Write: yesUser: user_groupno_rw -> Mount: yes, Read: yes, Write: yesUser: user_users_groupro_no -> Mount: yes, Read: yes, Write: yesUser: user_users_groupro_ro -> Mount: yes, Read: yes, Write: yesUser: user_users_groupro_rw -> Mount: yes, Read: yes, Write: yesUser: user_groupro_no -> Mount: yes, Read: yes, Write: yesUser: user_groupro_ro -> Mount: yes, Read: yes, Write: yesUser: user_groupro_rw -> Mount: yes, Read: yes, Write: yesUser: user_users_grouprw_no -> Mount: yes, Read: yes, Write: yesUser: user_users_grouprw_ro -> Mount: yes, Read: yes, Write: yesUser: user_users_grouprw_rw -> Mount: yes, Read: yes, Write: yesUser: user_grouprw_no -> Mount: yes, Read: yes, Write: yesUser: user_grouprw_ro -> Mount: yes, Read: yes, Write: yesUser: user_grouprw_rw -> Mount: yes, Read: yes, Write: yesConfigured vs effective share permissions (based on above results):(user): (permission set on share) -> (actual result) [expectation if different]Everyone: (no) -> no accessusers: read/write -> n/auser_users_no: (no) -> read/writeuser_users_ro: read/only -> read/write [expected read/only]user_users_rw: read/write -> read/writeuser_users_groupno_no: (no) -> read/writeuser_users_groupno_ro: read/only -> read/write [expected read/only]user_users_groupno_rw: read/write -> read/writeuser_groupno_no: (no) -> read/write [expected no access]user_groupno_ro: read/only -> read/write [expected read/only]user_groupno_rw: read/write -> read/writeuser_users_groupro_no: (no) -> read/writeuser_users_groupro_ro: read/only -> read/write [expected read/only]user_users_groupro_rw: read/write -> read/writeuser_groupro_no: (no) -> read/write [expected read/only]user_groupro_ro: read/only -> read/write [expected read/only]user_groupro_rw: read/write -> read/writeuser_users_grouprw_no: (no) -> read/writeuser_users_grouprw_ro: read/only -> read/write [expected read/only]user_users_grouprw_rw: read/write -> read/writeuser_grouprw_no: (no) -> read/writeuser_grouprw_ro: read/only -> read/write [expected read/only]user_grouprw_rw: read/write -> read/write---------------------------Situation 2) group "users" has read/onlySamba permission on the test share:[share] path = /data/share comment = "" admin users = "+admin","Administrator" read list = "user_groupno_ro","user_groupro_ro","user_grouprw_ro","user_users_groupno_ro","user_users_groupro_ro","user_users_grouprw_ro","user_users_ro","@groupro","@users" write list = "user_groupno_rw","user_groupro_rw","user_grouprw_rw","user_users_groupno_rw","user_users_groupro_rw","user_users_grouprw_rw","user_users_rw","@grouprw","+admin","Administrator" valid users = "user_groupno_ro","user_groupno_rw","user_groupro_ro","user_groupro_rw","user_grouprw_ro","user_grouprw_rw","user_users_groupno_ro","user_users_groupno_rw","user_users_groupro_ro","user_users_groupro_rw","user_users_grouprw_ro","user_users_grouprw_rw","user_users_ro","user_users_rw","@groupro","@grouprw","@users","+admin","Administrator"Script output:User: user_noexist -> Mount: noUser: user_users_no -> Mount: yes, Read: yes, Write: noUser: user_users_ro -> Mount: yes, Read: yes, Write: noUser: user_users_rw -> Mount: yes, Read: yes, Write: yesUser: user_users_groupno_no -> Mount: yes, Read: yes, Write: noUser: user_users_groupno_ro -> Mount: yes, Read: yes, Write: noUser: user_users_groupno_rw -> Mount: yes, Read: yes, Write: yesUser: user_groupno_no -> Mount: yes, Read: yes, Write: noUser: user_groupno_ro -> Mount: yes, Read: yes, Write: noUser: user_groupno_rw -> Mount: yes, Read: yes, Write: yesUser: user_users_groupro_no -> Mount: yes, Read: yes, Write: noUser: user_users_groupro_ro -> Mount: yes, Read: yes, Write: noUser: user_users_groupro_rw -> Mount: yes, Read: yes, Write: yesUser: user_groupro_no -> Mount: yes, Read: yes, Write: noUser: user_groupro_ro -> Mount: yes, Read: yes, Write: noUser: user_groupro_rw -> Mount: yes, Read: yes, Write: yesUser: user_users_grouprw_no -> Mount: yes, Read: yes, Write: yesUser: user_users_grouprw_ro -> Mount: yes, Read: yes, Write: yesUser: user_users_grouprw_rw -> Mount: yes, Read: yes, Write: yesUser: user_grouprw_no -> Mount: yes, Read: yes, Write: yesUser: user_grouprw_ro -> Mount: yes, Read: yes, Write: yesUser: user_grouprw_rw -> Mount: yes, Read: yes, Write: yesConfigured vs effective share permissions (based on above results):(user): (permission set on share) -> (actual result) [expectation if different]Everyone: (no) -> no accessusers: read/write -> n/auser_users_no: (no) -> read/onlyuser_users_ro: read/only -> read/onlyuser_users_rw: read/write -> read/writeuser_users_groupno_no: (no) -> read/onlyuser_users_groupno_ro: read/only -> read/onlyuser_users_groupno_rw: read/write -> read/writeuser_groupno_no: (no) -> read/only [expected no access]user_groupno_ro: read/only -> read/onlyuser_groupno_rw: read/write -> read/writeuser_users_groupro_no: (no) -> read/onlyuser_users_groupro_ro: read/only -> read/onlyuser_users_groupro_rw: read/write -> read/writeuser_groupro_no: (no) -> read/onlyuser_groupro_ro: read/only -> read/onlyuser_groupro_rw: read/write -> read/writeuser_users_grouprw_no: (no) -> read/writeuser_users_grouprw_ro: read/only -> read/write [expected read/only]user_users_grouprw_rw: read/write -> read/writeuser_grouprw_no: (no) -> read/writeuser_grouprw_ro: read/only -> read/write [expected read/only]user_grouprw_rw: read/write -> read/write---------------------------Situation 3) group "users" has (no) specified permissionsSamba permission on the test share:[share] path = /data/share comment = "" admin users = "+admin","Administrator" read list = "user_groupno_ro","user_groupro_ro","user_grouprw_ro","user_users_groupno_ro","user_users_groupro_ro","user_users_grouprw_ro","user_users_ro","@groupro" write list = "user_groupno_rw","user_groupro_rw","user_grouprw_rw","user_users_groupno_rw","user_users_groupro_rw","user_users_grouprw_rw","user_users_rw","@grouprw","+admin","Administrator" valid users = "user_groupno_ro","user_groupno_rw","user_groupro_ro","user_groupro_rw","user_grouprw_ro","user_grouprw_rw","user_users_groupno_ro","user_users_groupno_rw","user_users_groupro_ro","user_users_groupro_rw","user_users_grouprw_ro","user_users_grouprw_rw","user_users_ro","user_users_rw","@groupro","@grouprw","+admin","Administrator"Script output:User: user_noexist -> Mount: noUser: user_users_no -> Mount: noUser: user_users_ro -> Mount: yes, Read: yes, Write: noUser: user_users_rw -> Mount: yes, Read: yes, Write: yesUser: user_users_groupno_no -> Mount: noUser: user_users_groupno_ro -> Mount: yes, Read: yes, Write: noUser: user_users_groupno_rw -> Mount: yes, Read: yes, Write: yesUser: user_groupno_no -> Mount: noUser: user_groupno_ro -> Mount: yes, Read: yes, Write: noUser: user_groupno_rw -> Mount: yes, Read: yes, Write: yesUser: user_users_groupro_no -> Mount: noUser: user_users_groupro_ro -> Mount: yes, Read: yes, Write: noUser: user_users_groupro_rw -> Mount: yes, Read: yes, Write: yesUser: user_groupro_no -> Mount: noUser: user_groupro_ro -> Mount: yes, Read: yes, Write: noUser: user_groupro_rw -> Mount: yes, Read: yes, Write: yesUser: user_users_grouprw_no -> Mount: yes, Read: yes, Write: yesUser: user_users_grouprw_ro -> Mount: yes, Read: yes, Write: yesUser: user_users_grouprw_rw -> Mount: yes, Read: yes, Write: yesUser: user_grouprw_no -> Mount: yes, Read: yes, Write: yesUser: user_grouprw_ro -> Mount: yes, Read: yes, Write: yesUser: user_grouprw_rw -> Mount: yes, Read: yes, Write: yesConfigured vs effective share permissions (based on above results):(user): (permission set on share) -> (actual result) [expectation if different]Everyone: (no) -> no accessusers: read/write -> n/auser_users_no: (no) -> no accessuser_users_ro: read/only -> read/onlyuser_users_rw: read/write -> read/writeuser_users_groupno_no: (no) -> no accessuser_users_groupno_ro: read/only -> read/onlyuser_users_groupno_rw: read/write -> read/writeuser_groupno_no: (no) -> no accessuser_groupno_ro: read/only -> read/onlyuser_groupno_rw: read/write -> read/writeuser_users_groupro_no: (no) -> no access [expected read/only]user_users_groupro_ro: read/only -> read/onlyuser_users_groupro_rw: read/write -> read/writeuser_groupro_no: (no) -> no access [expected read/only]user_groupro_ro: read/only -> read/onlyuser_groupro_rw: read/write -> read/writeuser_users_grouprw_no: (no) -> read/writeuser_users_grouprw_ro: read/only -> read/write [expected read/only]user_users_grouprw_rw: read/write -> read/writeuser_grouprw_no: (no) -> read/writeuser_grouprw_ro: read/only -> read/write [expected read/only]user_grouprw_rw: read/write -> read/write

FWIW, I did forward a link to this thread to a Netgear developer for comment. I'll send a reminder if I don't hear back. It would be a useful thing if someone tried various settings, and posted the ACL and permissions that result in the file system. That can be done by any commmunity member who has SSH access enabled on their OS6 NAS. That might also help focus this discussion into what specifically might need to be changed.

User and group broken permissions

63 Replies

Replies have been turned off for this discussion

omicron_persei8
Luminary
Jul 01, 2016
Ok. So a user without specific permission should inherit permission from group. And a user with a specific permission should overrule inherited permission from group. This is what I expected when I did the testing.
So I don't understand which of my "effective vs expected permissions" you disagree with...
- chopin70
  Virtuoso
  Jul 01, 2016
  Where I disagree is what I wrote in the first line of my answer above
  And yes, if nothing is checked, as it is by default, it should mean no access at all. So we cannot for now, make it inherit by default from group.
omicron_persei8
Luminary
Jul 01, 2016
The first line of your previous reply says: "read/only user member of a read/write group gets read/write access: should never occur as user privileges should be considered before group. This is something like escalating permissions"
Which is exactly what I have in "expected permission", so I still don't understand which one of my expected permission you disahree with...
- chopin70
  Virtuoso
  Jul 05, 2016
  Can we have an official statement if these broken permissions will be fixed ?
  - StephenB
    Guru - Experienced User
    Jul 05, 2016
    chopin70 wrote:
    
    Can we have an official statement if these broken permissions will be fixed ?
    
    Seems rather unlikely, since no one from Netgear has even posted to this thread.
omicron_persei8
Luminary
Jul 05, 2016
Can you bullet point which ones of my expectations you disagree with?
I'm interested to know this.

You should contact NETGEAR support.
- chopin70
  Virtuoso
  Jul 05, 2016
  then should we assume every one is happy with broken permissions, or maybe no one really using 6.5.x ?
  
  How should I contact support so that they look at the issue ?
omicron_persei8
Luminary
Jul 06, 2016
For me, as long as you haven't clarified exactly which expected vs effective permission listed before you disagree with, I can't move forward. (If you do so, please the exact lines)

To contact NETGEAR Support, use your my.netgear.com account, under My Support or something like that. If you mention that you believe this is a security issue, I doubt they'll talk about support entitlement...
- StephenB
  Guru - Experienced User
  Jul 06, 2016
  FWIW, I did forward a link to this thread to a Netgear developer for comment. I'll send a reminder if I don't hear back.
  
  It would be a useful thing if someone tried various settings, and posted the ACL and permissions that result in the file system. That can be done by any commmunity member who has SSH access enabled on their OS6 NAS.
  
  That might also help focus this discussion into what specifically might need to be changed.
  - chopin70
    Virtuoso
    Jul 06, 2016
    StephenB wrote:
    FWIW, I did forward a link to this thread to a Netgear developer for comment. I'll send a reminder if I don't hear back.
    
    It would be a useful thing if someone tried various settings, and posted the ACL and permissions that result in the file system. That can be done by any commmunity member who has SSH access enabled on their OS6 NAS.
    
    That might also help focus this discussion into what specifically might need to be changed.
    
    Thank you StephenB
    Can you detail the needed commands that I should run in SSH for a debugging ?
    I already posted the output of specific "id -a" commands in SSH
    
    Since we are at leat 3 people in the forum to reproduce the issue, it could be a generalized issue. Again, it clearly appeared somewhere between 6.4 and 6.5.1, maybe the 6.5.x as I recall 6.4.x builds were fine when I first migrated to OS 6 and setup my groups and permissions
TheKurgan
Aspirant
Jul 13, 2016
I have seen similar behavior where group permissions do NOT work the way they are supposed to...I only use AFP if that helps.
TheKurgan
Aspirant
Jul 14, 2016
Why doesn't Netgear provide a 6.5.1 ReadyNas 516 VMWare image. It would be easy enough to configure these and "document" that failure and even give them back the VMWare images to see for themselves. Doing this "testing" on my actual 516 isn't convienent and is somewhat dangerous.
- Skywalker
  NETGEAR Expert
  Jul 14, 2016
  http://apps.readynas.com/pages/?page_id=143
  
  It's currently 6.5.0, but if you need 6.5.1 you can just update the same way as you would a physical box.

Forum Discussion

User and group broken permissions

63 Replies

Related Content

App broken?

apt.readynas.com - Broken repo?

RBRE960 anywhere access broken

Create two logical groups using Flex-RAID

Orbi RBK852 4.6.3.16 broken (Solved)

NETGEAR Academy

ProSupport for Business