× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Re: RN214 File creation using Windows 10 SMB

BarkingSpider
Aspirant

RN214 File creation using Windows 10 SMB

Greetings.  I  have a RN214.  After upgrading to the OS6.9.5 I'm seeing the group "users" being added to all files being created as the default group with permissions of rwxrwx---+.  For example, the user "TEC" is in a group called "TECH".  When I drag-n-drop a file (on OS6.9.4 +Hotfix) it created the file with "TEC" as the owner and group "TECH" with permission bits of rw-rw----+.  Now, with OS6.9.5, it's creating with "TEC" as the owner (correct) but the group is "USERS" with permissions of rwxrwx---+.  Doing a getfacl on the file shows group "TECH" and "USERS", plus ADMIM; all with rwx.  I have looked at all the ACLs of the directory structure and there is NO "USERS" group on any of them, nor is this user connected to this group.  Is this a OS6.9.5 bug or do I have something set wrong?  This was not an issue prior to os6.9.5.

cj.

Model: RN214|4 BAY Desktop ReadyNAS Storage
Message 1 of 24
Retired_Member
Not applicable

Re: RN214 File creation using Windows 10 SMB

Hi @BarkingSpider, in case your nas was fine before and you are not depending on any of the bugfixes introduced by 6.9.5 (see the release notes here https://kb.netgear.com/000060500/ReadyNAS-OS-6-Software-Version-6-9-5), I would do the following:

a) Download the logs now to later give one of the netgear mods/analysts the opportunity to have a closer look at those, in case they want to investigate.

b) Manually downgrade to 6.9.4HF1 and wait until your issue has been declared as solved. Here is the link to that release https://community.netgear.com/t5/ReadyNAS-Announcements-Stories/ReadyNAS-OS-6-9-4-Hotfix-1-now-avail...

Kind regards

Message 2 of 24
BarkingSpider
Aspirant

Re: RN214 File creation using Windows 10 SMB

I created a new user (zoro) that is connected to one group called "ostech".  I then create a new share and made that user and group the only access.  Here is output from the getfacl for the share and file I created by using Win10 drop-n-drag.

root@WW:/data/ztest# getfacl /data/ztest/
# file: data/ztest/
# owner: ww
# group: ostech
user::rwx
user:admin:rwx
user:zoro:rwx
group::rwx
group:admin:rwx
group:ostech:rwx
mask::rwx
other::---
default:user::rwx
default:user:admin:rwx
default:user:zoro:rwx
default:group::rwx
default:group:admin:rwx
default:group:ostech:rwx
default:mask::rwx
default:other::---

 

root@WW:/data/ztest# getfacl zoro.txt
# file: zoro.txt
# owner: zoro
# group: users
user::rwx
user:admin:rwx
user:zoro:rwx
group::rwx
group:admin:rwx
group:users:rwx
group:ostech:rwx
mask::rwx
other::---

 

Even windows 10 security shows Allow users(WW\users)  Full control and what's interesting is under the "inherited from" shows \\WW\ztest\

 

So how did "users" get added to the ACL's ??

 

 

 

 

Message 3 of 24
StephenB
Guru

Re: RN214 File creation using Windows 10 SMB


@BarkingSpider wrote:

 

So how did "users" get added to the ACL's ??

 


"users" is Netgear's built-in group, so it's possible it is baked into the ReadyNAS ACL.

 

Does this do harm?

Message 4 of 24
BarkingSpider
Aspirant

Re: RN214 File creation using Windows 10 SMB

Does this do Harm?  Well, not sure.  As I see it, if all files are being tagged with "users" as a group, then would that allow any user access to all files?  So if I have a file that I own, but share with a NON "users" group, then fine, but if "users" is being put on too, then that is a problem since the permissions bits set to rwx and would give any user full control to files.

I also have a ReadyNAS 104 with the same OS (6.9.5) and this problem does not appear to happen on that device.

 

Message 5 of 24
Retired_Member
Not applicable

Re: RN214 File creation using Windows 10 SMB

@BarkingSpider wrote: "As I see it, if all files are being tagged with "users" as a group, then would that allow any user access to all files?"

 

No, only those users, which are member of "users". You could check, who is member of "users" by using /Admin page/Accounts/Groups and check the properties of "users". Anybody not in there would not have access, though.

Message 6 of 24
StephenB
Guru

Re: RN214 File creation using Windows 10 SMB


@Retired_Member wrote:

 

No, only those users, which are member of "users".

Correct.  "Users" is a built-in group on the ReadyNAS.  If you have no ReadyNAS accounts that are in the "Users" group, then that ACL shouldn't matter.

 

Message 7 of 24
BarkingSpider
Aspirant

Re: RN214 File creation using Windows 10 SMB

It does matter.  So I have usera assigned to groupa and userb assigned to groupb.  The share has rwx for groupa and groupb on the "Files Access" tab.

When each user creates a file in that share, the "users" group is assigned to each file.  This allows usera to delete userb files.  If your only group is groupa, then the files should be created with user/group "a".  This to me is not good.  There may be cases where you can use a single share, have users create files, but not be able to view/delete other users.  Or am I doing my settings wrong and/or mixed up?

Testing on the ReadyNAS 104 does not have this issue,  usera with groupa creates a file with usera/groupa.

Message 8 of 24
StephenB
Guru

Re: RN214 File creation using Windows 10 SMB


@BarkingSpider wrote:

 

When each user creates a file in that share, the "users" group is assigned to each file.  This allows usera to delete userb files.  


It shouldn't because usera is not in the users group.

Message 9 of 24
BarkingSpider
Aspirant

Re: RN214 File creation using Windows 10 SMB

I created a file from Win10A called czerr.txt. User czerr user is connected to group ostech, NOT USERS.   I then created a file on Win10B called mb795b.txt. This user is connected to group melvins and NOT to 'users'.
So why do they have "users" assigned on the files? I would assume that permissions should be inheritied from top level.  I can confirm that either user can delete the others file(s).
root@WW/data/ztest# ls -l
total 0
-rwxrwx---+ 1 czerr users 0 Feb 8 14:29 czerr.txt
-rwxrwx---+ 1 mb795b users 0 Feb 8 14:29 mb795b.txt

The ACL for share ztest:
getfacl: Removing leading '/' from absolute path names
# file: data/ztest
# owner: ww
# group: superman
user::rwx
user:admin:rwx
group::rwx
group:admin:rwx
group:melvins:rwx
group:ostech:rwx
mask::rwx
other::---
default:user::rwx
default:user:admin:rwx
default:group::rwx
default:group:admin:rwx
default:group:melvins:rwx
default:group:ostech:rwx
default:mask::rwx
default:other::---
I see no "users" on the above

The getfacl from mb795b.txt
root@WW:/data/ztest# getfacl /data/ztest/mb795b.txt
getfacl: Removing leading '/' from absolute path names
# file: data/ztest/mb795b.txt
# owner: mb795b
# group: users
user::rwx
user:admin:rwx
user:mb795b:rwx
group::rwx
group:admin:rwx
group:users:rwx
group:melvins:rwx
group:ostech:rwx
mask::rwx
other::---

 

root@WW:/data/ztest# getfacl /data/ztest/czerr.txt
getfacl: Removing leading '/' from absolute path names
# file: data/ztest/czerr.txt
# owner: czerr
# group: users
user::rwx
user:admin:rwx
user:czerr:rwx
group::rwx
group:admin:rwx
group:users:rwx
group:melvins:rwx
group:ostech:rwx
mask::rwx
other::---

So how did "users" get assigned to these files? The ReadyNAS 104 does not do this. What am I missing?

Message 10 of 24
Sandshark
Sensei

Re: RN214 File creation using Windows 10 SMB

If both users or groups have read/write access to the share, then both users will be able to delete each others' files in that share regardless of what group owns them.  Have you tried putting files in a share where one user has read/write access and the other read-only?

 

What group do you have listed as the folder owner?

Message 11 of 24
BarkingSpider
Aspirant

Re: RN214 File creation using Windows 10 SMB

So I have a user, mb795b assigned a group "melvins (GID 510)".  I re-created the share (ztest) and assigned user mb795b r/w in the SMB tab.  Under the File Access tab, the folder owner and folder group are both set to Admin. Security tab checked R/W for Folder Owner, Folder Group, Admin, and mb795b.  I also check group "users" as R/O (Read Only).  I left Default access tab alone. The ACL for /data/ztest is:

root@WW:/data/ztest# getfacl /data/ztest/
# file: data/ztest/
# owner: admin
# group: admin
user::rwx
user:admin:rwx
user:mb795b:rwx
group::rwx
group:admin:rwx
group:users:r-x
mask::rwx
other::---
default:user::rwx
default:user:admin:rwx
default:user:mb795b:rwx
default:group::rwx
default:group:admin:rwx
default:group:users:r-x
default:mask::rwx
default:other::---

You can see group "users" set as r-x

So I created a file in that share

root@WW:/data/ztest# ls -l
total 0
-rwxrwx---+ 1 mb795b users 0 Feb 8 19:34 mb795b.txt

and the ACL:

root@WW:/data/ztest# getfacl mb795b.txt
# file: mb795b.txt
# owner: mb795b
# group: users    
user::rwx
user:admin:rwx
user:mb795b:rwx
group::rwx
group:admin:rwx
group:users:rwx
mask::rwx
other::---

 

Why does group "users" have rwx?  And why is "users" even in there since the user mb795b has no connection to group users?

Message 12 of 24
Sandshark
Sensei

Re: RN214 File creation using Windows 10 SMB

I can't say, because my 312 does not act the same way. And you are sure you've removed user mb795b from the "users" group?  I don't know why you'd assign ownership of a share to "admin", but I did something similar to what you did just to see what happens.

 

I created "user1", with primary membership in "group1" and no other memberships and "user2" in "group2".  I created share "share1" and "share2" with owner group and user "admin".  Group1 has read-write privilages in share1 and read-only in share2.   Vice versa for share2.  If user1 creates a file in share1, the ownership is "user1 group1" (his user name and primary group).  Likewise user2 files in share 2 have ownership "user2 group2".  Each user can read, but not overwrite or delete, the other's files in their assigned folder.  All just the way it's supposed to work.

 

But, my other question is why do you care?  Yes, at the basic Linux level (only accessible if you give the users SSH access), it seems that a unintended group may have access.  But it's not just a Linux machine, it's a NAS.  Do the protocols enabled for the users provide the protection that you are looking for?  If not, perhpas you are looking for protection the NAS is not intended to provide.  The NAS provides share-level access control, not individual file-level protection within a share.

Message 13 of 24
Retired_Member
Not applicable

Re: RN214 File creation using Windows 10 SMB

@Sandshark wrote: "The NAS provides share-level access control, not individual file-level protection within a share."

 

That is, what @BarkingSpider is wrestling with and where of course OS6 will not meet his expectations.

I recall, that good old Novell Netware was capable of supporting file-level protection when I was administering it in the 90s of the last century.

 

Would anybody know, whether any vendor of state-of-the art nas is supporting that concept with their firmware?

Message 14 of 24
Sandshark
Sensei

Re: RN214 File creation using Windows 10 SMB

If all access is via Windows, the file owner can use the Windows security options (right-click, Properties, Security tab) to set file-specific access.  But if any other protocol is being used, there is no guarantee it will be enforced (in fact, I think it typically will not).  But it's not automatic, so you have to remmeber to do it for every file/folder.

Message 15 of 24
schumaku
Guru

Re: RN214 File creation using Windows 10 SMB


@Retired_Member wrote:

Would anybody know, whether any vendor of state-of-the art nas is supporting that concept with their firmware?


Any vendor which is using Windows Server  on the storage system will allow all bells and whistles possible on NTFS and ReFS potentially required by ... Windows. Anybody else does implement subsets only. Or you are going to operate just block based storage on the NAS, and run a fully fledged Windows Server to provide the network access.

Message 16 of 24
StephenB
Guru

Re: RN214 File creation using Windows 10 SMB

If the ReadyNAS allowed you to also share a subfolder of a main share, then @BarkingSpider could simply do that (setting different network access for the subfolder).  But it doesn't support that feature.  

 

In my opinion simply moving the subfolder to it's own primary share is a reasonable workaround, and is the best available option.  Softlinks or perhaps windows shortcuts can be used to preserve access to the subfolder from the main share.

 

Managing it with file access controls is possible, but IMO there is too much risk that the outside person will either end up with access to files he's not supposed to be able to access, and/or that the person won't be able to access new files that are placed in the folder.

Message 17 of 24
BarkingSpider
Aspirant

Re: RN214 File creation using Windows 10 SMB

So i seperated out a user and that user is connected to one group

root@WormWood:/data/ztest# id zoro

uid=1030(zoro) gid=510(ostech) groups=510(ostech)

The user zoro creates a file from windows (right click to create new text document):

root@WormWood:/data/ztest# ls -l
total 0
-rwxrwx---+ 1 zoro users 0 Feb 11 15:13 zoro.txt

Why is the group "users" there and not the primary group "ostech"?

Windows 10 advanced security on the file

image.png

 

root@WormWood:/data/ztest# getfacl zoro.txt
# file: zoro.txt
# owner: zoro
# group: users
user::rwx
user:admin:rwx
user:zoro:rwx
group::rwx
group:admin:rwx
group:users:rwx
mask::rwx
other::---

root@WormWood:/data/ztest# getfacl /data/ztest/
# file: data/ztest/
# owner: admin
# group: admin
user::rwx
user:admin:rwx
user:zoro:rwx
group::rwx
group:admin:rwx
mask::rwx
other::---
default:user::rwx
default:user:admin:rwx
default:user:zoro:rwx
default:group::rwx
default:group:admin:rwx
default:mask::rwx
default:other::---

 

Message 18 of 24
StephenB
Guru

Re: RN214 File creation using Windows 10 SMB

How is the network access set in the share settings?

Message 19 of 24
BarkingSpider
Aspirant

Re: RN214 File creation using Windows 10 SMB

on the SMB tab, user zoro r/w, nothing else other than default admin, on the file access tab, same. Folder Owner & Folder group checked, only the one user r/w and the default admin, and the  Owner/Group is set to admin.

Message 20 of 24
StephenB
Guru

Re: RN214 File creation using Windows 10 SMB


@BarkingSpider wrote:

on the SMB tab, user zoro r/w, nothing else other than default admin, on the file access tab, same. Folder Owner & Folder group checked, only the one user r/w and the default admin, and the  Owner/Group is set to admin.


Ok.  Can you try creating an account in the user group, and access the NAS shares using that user's credentials?  You shouldn't be able to access any files in the share.

 

 

Message 21 of 24
BarkingSpider
Aspirant

Re: RN214 File creation using Windows 10 SMB

You are correct. No other user can get access this share since there is only ONE user in the share's ACL.  What I'm getting at is why is the group "users" there on the FILES  that are being created and not their primary group.

Message 22 of 24
StephenB
Guru

Re: RN214 File creation using Windows 10 SMB


@BarkingSpider wrote:

What I'm getting at is why is the group "users" there on the FILES  that are being created and not their primary group.


I do understand the question, but wanted to confirm that file access setting wasn't compromising your security.

 

I agree it is odd the file is showing the users group..

Message 23 of 24
schumaku
Guru

Re: RN214 File creation using Windows 10 SMB


@StephenB wrote:

@BarkingSpider wrote:

What I'm getting at is why is the group "users" there on the FILES  that are being created and not their primary group.


I do understand the question, but wanted to confirm that file access setting wasn't compromising your security.

 

I agree it is odd the file is showing the users group..


This's probably the most discussed question on various NAS vendors communities, being QNAP, Synology, or ReadyNAS. The users group is a default group where all users are members - explicitly or on most platforms impllicitly. Very similar to the "Authenticated Users" or "Domain Users" on an AD.

While QNAP and Synology don't offer it in the UI, ReadyNAS has the option to set a default or primary user group for the group. In my opinion, this does cause more confusion but added value. But then, there is - in my opinion - much more worng on the file protections on ReadyNAS (6.10-Beta1 including) when it comes to folder and files access rights (as effectively in place on the NAS itself).

 

When creating a new shared folder, remove any default access (inlcuding the non-authenticated guest access) and only allow read+write to SMB for a group alos named engineering, this is the shared folder root holding the data  

 

root@RN628X:~# getfacl /data/engineering
getfacl: Removing leading '/' from absolute path names
# file: data/engineering
# owner: guest
# group: guest
user::rwx
user:admin:rwx
user:guest:rwx
group::rwx
group:admin:rwx
group:guest:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:admin:rwx
default:user:guest:rwx
default:group::rwx
default:group:admin:rwx
default:group:guest:rwx
default:mask::rwx
default:other::rwx

 

Completely wrong - the ACLs of the shred folder root do NOT reflect ... anything set in the access rights.

 

root@RN628X:~# getfacl /data/engineering/test
getfacl: Removing leading '/' from absolute path names
# file: data/engineering/test
# owner: [my_real_username_here]
# group: users
user::rwx
user:admin:rwx
user:guest:rwx
user:[my_real_username_here]:rwx
group::rwx
group:admin:rwx
group:guest:rwx
group:users:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:admin:rwx
default:user:guest:rwx
default:user:[my_real_username_here]:rwx
default:group::rwx
default:group:admin:rwx
default:group:guest:rwx
default:group:users:rwx
default:mask::rwx
default:other::rwx

 

root@RN628X:~# getfacl /data/engineering/test2/Neues\ Textdokument.txt
getfacl: Removing leading '/' from absolute path names
# file: data/engineering/test2/Neues Textdokument.txt
# owner: [my_real_username_here]
# group: users
user::rwx
user:admin:rwx
user:guest:rwx
user:[my_real_username_here]:rwx
group::rwx
group:admin:rwx
group:guest:rwx
group:users:rwx
mask::rwx
other::rwx

Of course, we can go and adjust - to some extent - the File Access for the shared folder:

engineering shared folder - owner adjusted - ACL ways offPNG.PNG

Still, there are several more than strange file access items reamining, inlcuding the ReadyCloud cloud user(s):

 

engineering shared folder -unremiveable defaults - cloud access.PNG

 

Granted, this does not break the access to the shared folder using the (only!) defined access by SMB - but it's simply wrong from the audit prospective. Reported this many times already during the ReadyNAS OS 6 Beta - still, file and folder ownership as well as ACL do not properly relefct the effectively intended access rights. 

And you complain "just" about the default users group? That's just the peak of the ice berg.

 

In my opinion, this is wrong bottom up and does prohibit any serious (IT audited) business use of ReadyNAS.

 

Wanted to add some tags mentioning some key people like @OOM-9 and wonder what they reply here.

Message 24 of 24
Top Contributors
Discussion stats
  • 23 replies
  • 3828 views
  • 2 kudos
  • 5 in conversation
Announcements