NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
NooB share permissions help
I'm a novice with linux file permissions setting up a new 626x and I don't want to screw this up. I've read a number of topics and searched a bunch but I think i'm missing some fundamental things tha...
cmatsinger wrote:
I'm a novice with linux file permissions setting up a new 626x and I don't want to screw this up. I've read a number of topics and searched a bunch but I think i'm missing some fundamental things that I cannot clarify. I'm setting up several shares using SMB only with local users (no AD) that i'd like the following permissions for.
Archive - Admin users RW, regular Users read only
Tech - Admin RW, regular Users no access
I'd also like to not allow for ANY guest/anonymous access to any of these (not even seeing the shares are available)
Questions (let's start with Archive share)
Under Network Access, by default, Everyone group has RW. Because I want Users to have Read Only, should I uncheck Everyone and set Users group to Read Only?
The Allow Anonymous Access box is checked. Does unchecking this remove Guest access?
Yes to both. So uncheck anonymous, uncheck everyone, and set the user group to read-only,
cmatsinger wrote:
For File Acess, default owner/group is Guest. Should I change this to Admin? Root? ...
You can leave this just as it is. Network access alone will accomplish what you want, and generally speaking it is easier to administer. Note that users can change the file permissions from Windows (right-clicking on a file), but they can't change the network permissions.
The effective access rights in Windows are the intersection of network and file permissions. So if the network permission is read-only, then then write access will be denied, no matter what the file permissions are.
cmatsinger wrote:
Also I should have probably mention that all users are on Mac, so permissions settings look a lot different than what you posted.
Not sure what you mean by "look different than what I posted", since I didn't post anything about how they look in Windows. Though I did point out the windows users (and mac users) can change file permissions.
cmatsinger wrote:
I want a folder within /Archive that only Admin can access (Users have No Access.)
The simplest way is to set up a separate share for that folder and use network permissions as defined above. I get that you'd rather not do it that way, but it is the simplest and most secure.
The other way is for you to into Archive on your mac, and then set the file permissions from the Mac (not the NAS) to block access to the users group. I'm not a Mac user, so I don't know you'd do that. You can't do this from the NAS Web UI, because that doesn't let you set file permissions for a specific file or folder.
The reason why a separate share is better: Anyone who can write to the parent folder can change the subfolder permissions from their PC back so that the users group can access it. This could be intentional, or it could be inadvertent (user error). There's no way you'd even know that was done unless you go and look. Network permissions can only be changed from the web ui, so it is easier to control.
I guess in your specific case, these folks might have the admin password for the web UI anyway, but generally speaking it's much harder to keep the file permissions set the way you want them.
Thanks again for the clarity. I guess a separate share it is then
Sorry about my comment related to you posting windows permissions - I have read about 100 posts on this and saw that elsewhere.
Thanks again for your help!
Sorry about my comment related to you posting windows permissions - I have read about 100 posts on this and saw that elsewhere.
Thanks again for your help!
I'm glad I could help.
BTW, the users group will see the share where they have no access, but they shouldn't be able to navigate into it.
One thing to add - this can be tricky to get right, so it's important to test the access rights after you make these changes. So create a couple of use cases - log in as user, try to create, delete, rename a file (and a folder) in a share that is restricted; repeat this after logging in as an admin, ...
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
