We have a need to be able to write to a folder on the NAS but to to be able to access it again from the same computer (or any computer except the admin account). Is there a way to able to write to a folder and then lock the file down so that it cannot be changed? I believe that is called a drop folder. We have an analitical instrument that I need to save the original data to a file that cannot be accessed (changed) so that the the original data is secured from changes.
ReadyNAS does not have a built-in way to allow a user to create a file and then not be able to change it later. You could come close by creating a task that runs on the NAS or a computer on the network with an account that has special permissions that moves the file from where you dropped it and you have write permission to a location where normal users have only read permission. Just changing the file permissions usually isn't enough to prevent a user with write access to the folder from changing those permissions, though I've not tried it. It's enough to prevent unintentional changes, because it takes extra steps, but not deliberate ones.
I've not tried disabling admin's file permissions so that root would be the only one who could change or delete them. But if you know admin's password, you know root's, so I don't really see the point unless you routinely use admin credentials for file operations (which is a bad idea in an environment where you need what you are asking for).
Thanks, that's what I thought. I am just trying to come up with a workaround so we don't have to go out and buy a new $75,000 machine to replace one that is only 5 years old. The machine programming does not have a way not to name a file the same thing, and the manufacturer says that the new software wont work (designed not to IMO) with the old hardware. Sooo... If I set up a backup job and protect the folder that it is backed up to, that would sort of accomplish what I am after, correct? For a new question, is there a setting (I don't recal seeing one) to set up a backup on a file write/change?
I uderstand about the permissions. It has me going in circles trying to get some sort protection with our current set-up.
Sooo... If I set up a backup job and protect the folder that it is backed up to, that would sort of accomplish what I am after, correct?
I think this depends on your goal. For example, if this is linked to a legal requirement, then it might not. Another aspect is whether you are trying to protect the file(s) from modification, from deletion, or both.
But if your goal is simply to archive the file(s), then you can create a second share that is read-only, and use a backup job to back up the file(s) to that share. The NAS admin would still be able to modify or delete the file(s) - either through the admin web ui, or by mounting the entire data volume on a PC using the NAS admin credentials. Or through the use of SSH of course.
Another approach is to add a second device into the mix, and have that device back up the file(s) on a schedule. The NAS admin wouldn't need write access to that second device, so you'd have the ability to recover the originals if the copy on the RN212 was modified.
A lot also depends on whether you are worried about accidents or malice. It's a lot harder to protect against malice.
At my job, a user unintentionally dragged a critical folder into another, and backup jobs on all the test equipment started failing. There is no "are you sure" prompt for that, as there is with deletion, at least when the user has read/write privileges, so it's easy to do. Fortunately, I figured out what happened before we went through the process of restoring from backup or snapshot. A system like you want could have prevented that. I could have made the folder read-only to most users to help prevent it, since the data mostly comes from automated backups on the test equipment, but he had privileges in the parent folder and could have changed those permissions if he was doing that intentionally. I have to trust that everyone to whom I give rights to the share is not going to attack it with malice.
The goal here is to protect the original data from being overwritten/modified, or deleated. The FDA wants access to unaltered data from everything we run from now on. The more I think about it, the more I am convinced that I need to move files and rename them with a time stamp somehow and then lock them away into a folder only I can access (I am the only one with admin credentials). The software will overwrite the files if they are named the same and there is no warning from it that you are about to do so. The files are in a format I cannot open so I cannot change them. Just trying to show the feds that our data is secure without breaking the bank. Also, I am not really an IT guy, but I am the best we have around here (the last programming I have done was on a C64 in BASIC). This also just needs to happen without our lab techs thinking about it and be something I can maintain while I do my other jobs around here.
I have had both here but mostly people that just don't understand how a network works. Sometime I have to drag them kicking and screaming to get on board. They figure it out when they loose a whole hard drive of info I can't get back. Mostly, I have people that think they get to have access to the places they don't belong. Its been a process, but I think I can trust the people we have now that I have given access. Anymore it's no access until it is proven you need it.
I have a similar situation of having to have traceable data at work, though self-imposed by the company, not regulatory. I have implemented it on a PC using batch files with lots of find, if/then/else, and robocopy commands. In my case, the receiving share is on an entirely different server, but that's just because of available space on the local vs. a remote server. I suspect you could do much the same in Linux with a script that uses commands with similar capabilities and rsync. You could run that on the NAS as a cron job.
My source data is on the server by serial number folder, and that it is ready for archival is triggered by placing the folder in a drop folder of sorts. There is a short time frame when somebody could mess with it since the fastest script only runs hourly, but that could be reduced. The hourly task moves it to a holding folder not even visible to most users, and a daily one moves it to the other server and adds a date stamp. So the data for serial number 1234 gets moved to 1234_20210203 if moved today, Feb 3, 2021. You could add a time if you need more than one backup a day.
You may be better off doing it in Linux. One of my current problems (well, ultimately my employer's problem) is finding somebody without grey hair that understands Windows (expanded MS-DOS) batch language well enough to take over that job when I retire, just in case there is a change in the network or file naming that creates a need for a change. Anyone who uses Linux probably knows a lot of command line stuff, but few who use Windows really do. And giving it to another "grey hair" from the old MS-DOS days doesn't kick it down the road very far.
You may want to look into various coimmercial version control systems instead of trying to roll your own since yours is a regulatory requirement.
You may want to look into various commercial version control systems instead of trying to roll your own since yours is a regulatory requirement.
Yes, a version control system should have the features you need, but would also have a lot of other stuff that is useful for software development, but not needed for your use case.
A backup system that supports versioned backups would be another avenue that you might explore. This could potentially run on a PC that has the NAS share mapped to a drive letter - eliminating any need to install anything on linux. You could also reach out to egnyte, as they have a backup solution that can be installed on the NAS. This backs up to cloud storage. https://helpdesk.egnyte.com/hc/en-us/sections/200348244-Storage-Sync-for-NETGEAR
I appreciate everones input here. My main job around here is turning wrenches. Somehow all of the computers and networking was put on me to get going and maintain too. I don't mind (actually enjoy the challenge) but while I understand a little of writing scripts, it is above my paygrade to actually implement them. I know that it would probably be the best solution to customize to our needs, but I am not that guy. I am going to see what is out there for comercial software. Again thanks for the input and direction.
