× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Re: Shares user and and group permissions

chopin70
Virtuoso

Shares user and and group permissions

 

Hi,

 

4 years after this thread...

https://community.netgear.com/t5/Using-your-ReadyNAS-in-Business/User-and-group-broken-permissions/t...

 

I am migrating to FreeNAS and turning the ReadyNAS into a backup NAS

I got the opportunity to test again the shares/permissions:

 

- created a share: enfants2

- a group: smb_enfants_ro

- a user: enfants

- Network access: smb_enfants_ro checked RO access, smb_admin group and admin user have RW access

- File access: same

- All others are unchecked, include user "enfants2" member of smb_enfants_ro group

 

https://ibb.co/HHtnfGC

https://ibb.co/0XNnBDr

 

Windows Advanced permissions are correctly applied for the group after above setup in GUI

However, notice smb_admin and ReadyNAS admins groups permissions were not properly set by the GUI (I configured both as RW for Network Access and File Permissions in GUI)

 

https://ibb.co/TRy2ZhB

 

Connection test fails:

net use o: \\NAS\enfants2 /user:enfants
# connection impossible

I edit Network Connection option to explicitly add the user enfants to RO access:

 

https://ibb.co/LZ8y7xH

 

Test user connection: works

net use o: \\NAS\enfants2 /user:enfants
# connection succeeds and share is mounted on drive o:

So, we still have to explicitly specify the SMB user access rights, because it is not inherited from the group using the GUI !

It is wired that this is not fixed while on other NAS brands the permissions are properly applied. I have many users/groups, and being able to apply the groups permissions without having to set user permissions individually is mandatory

 

The issue is that every user needing access has to be explicitly added to the SMB Network Access in GUI. Adding his group is not enough. Because of that, we are then obliged to configure the rights for each individual user in Windows, making the use of groups to quickly set permissions useless !

 

Again, at least on the FreeNAS and a collegue Synolgy NAS, this is not the case and we only have to setup the groups permissions

 

Hope this gets fixed after so many years...

 

Best regards

 

 

Model: RN524X|ReadyNAS 524X – Premium Performance Data Storage - 4-Bay
Message 1 of 14
chopin70
Virtuoso

Re: Shares user and and group permissions

Looks like forum still corrupts images uploaded !

Here are they + edited in first post

https://ibb.co/LZ8y7xH
https://ibb.co/HHtnfGC
https://ibb.co/0XNnBDr
https://ibb.co/TRy2ZhB

 

 

Message 2 of 14
StephenB
Guru

Re: Shares user and and group permissions

Normally I recommend leaving the file permissions set to everyone access, and controlling access with network permissions alone.

 

When I tried that, it is working ok.

 

Network Access:

NetworkAccess.png File Access: FileAccess.png

Testtestaccess.png

I was unable to copy a file into the folder - confirming that enfants only had read access.

Message 3 of 14
chopin70
Virtuoso

Re: Shares user and and group permissions

nteresting

However, that is really a very bad fix you suggested

As per the doc, Network Permissions will apply Samba permissions.

However, File Permissions are related to the Unix system permissions

 

With your fix, if your user needs shell access, he will have r/w permissions everywhere. Worst, from my tests, it has even rmdir permission to directories he's not teh owner, which is really wired

 

Here's the example:

member : group

teddy : read

tommy : readw

https://imgshare.io/image/groups.N0hLn9

 

Shares:

share name: office

https://imgshare.io/image/share.N0hG1F

 

Network permissions:

group read: has read access

group readw : has r/w access

https://imgshare.io/image/network.N0hQmO

 

File Permissions:

allow all

https://imgshare.io/image/files.N0hooQ

 

Give the users shell access, then SSH into the NAS

Here are the results of the simple shell commands creating / deleting folders

# login as teddy user (ro only access to office in SAMBA)
root@NAS-01:/#
su - teddy

# teddy tries to create some files and dirs: surprise, it is possible !
teddy@NAS-01:~$
cd /medias1/office

teddy@NAS-01:/medias1/office$
touch teddy.file
mkdir teddy
touch teddy/file
exit
    logout

# login as tommy (r/w access on office in SAMBA)
# and create some dirs/files
root@NAS-01:/home/admin# 
su - tommy

tommy@NAS-01:~$
cd /medias1/office

tommy@NAS-01:/medias1/office$
mkdir tommy
touch tommy.file
touch tommy/tommy.file

# we have now files and dirs owned by both teddy (ro) and tommy (rw)
tommy@NAS-01:/medias1/office$ ls -la
    total 32
    drwxrwxrwx+ 1 guest guest 80 Nov 14 14:22 .
    drwxr-xr-x  1 root  root  76 Nov 14 14:15 ..
    drwxrwxrwx+ 1 teddy read   8 Nov 14 14:21 teddy
    -rw-rw-rw-+ 1 teddy read   0 Nov 14 14:21 teddy.file
    drwxrwxrwx+ 1 tommy readw 20 Nov 14 14:22 tommy
    -rw-rw-rw-+ 1 tommy readw  0 Nov 14 14:22 tommy.file
exit
    logout

# teddy (ro) is back and deletes tommy's files and dirs
root@NAS-01:/home/admin#
su - teddy

teddy@NAS-01:~$
cd /medias1/office

teddy@NAS-01:/medias1/office$
rm tommy.file
rm -rf tommy
ls -la
    total 32
    drwxrwxrwx+ 1 guest guest 50 Nov 14 14:22 .
    drwxr-xr-x  1 root  root  76 Nov 14 14:15 ..
    drwxrwxrwx+ 1 teddy read   8 Nov 14 14:21 teddy
    -rw-rw-rw-+ 1 teddy read   0 Nov 14 14:21 teddy.file

 

It seems that the readyNAS doesn't properly apply ACLS permissions from within the GUI, if it even applies them at all. I did not try to apply the permissions from windows and check if they translate to ACLS in the shell and properly set the Unix permissions on access from shell. However, at the end, if it even works, it means we must setup all users file access from the gui, then from windows and that group only permissions will not apply if the user is not configured

 

Again, this is wired as it really works out of the box in other brands I tested while here, we don't know what kind of access is really done / applied.

Message 4 of 14
Sandshark
Sensei

Re: Shares user and and group permissions


@chopin70 wrote:

nteresting

However, that is really a very bad fix you suggested

 


I agree.  That is a good way for a home network, where SMB is typically the only protocol in use, so the admin doesn't get lost in the sea of both network and file permissions, but it is not suitable for a business environment.

Message 5 of 14
chopin70
Virtuoso

Re: Shares user and and group permissions

I edited first post with links to images as I cannot find a way to upload images without they get corrupted

Yes, it is really not usable in this way

 

I gave it another trial to properly apply ACLS group permissions using windows

If I check the "read" and "readw" groups I created, in both Network and File permissions tabs, they do not propagate to windows and we cannot apply any permissions from there. Users must be checked individually

 

However, if I apply the ACLS permissiosn to teddy and tommy users from windows, they properly propagate to the shell session

So, it seems like the bugs are:

- GUI doesn't set any ACLS permissions and will break SMB access if Unix File permissions are not set

- The groups we enable from GUI File Permissions do not propagate to windows ACLS properly, sometimes yes, others no

- The onyl way to properly apply the ACLS is from windows and for each user

 

Notice that on FreeNAS ZFS system it was only fixed recently also, so maybe it is not something that easy.

But hey, it works also on Synology which uses BTRFS like Netgear. So must not be impossible to implement.

 

Should this flagged again as a bug ?

Message 6 of 14
StephenB
Guru

Re: Shares user and and group permissions


@Sandshark wrote:

@chopin70 wrote:

nteresting

However, that is really a very bad fix you suggested

 


I agree.  That is a good way for a home network, where SMB is typically the only protocol in use, so the admin doesn't get lost in the sea of both network and file permissions, but it is not suitable for a business environment.


I do agree that using Network Access alone doesn't work if you give a user with restricted access to files the ability to log into the NAS with SSH. But in my opinion that is bad practice anyway - only admins should have SSH access to the NAS.  

 

I don't see what the other protocols have to do with it, since you need to set up network access for all of them properly anyway.  If you try to use file permissions alone, then anyone with write access to the folder can change the permissions - so they can elevate the permissions of others.  One way or another you need to set the network access for all protocols properly if you want to ensure that the restricted access sticks.  And in most cases (home or business) that is enough.

 

 

Message 7 of 14
chopin70
Virtuoso

Re: Shares user and and group permissions

It doesn't work that way.
We should be able to set group ACLS from windows once the group permissions are specified in GUI. Currently even this basic acls part is broke.
Once ACLS permissions are set at group level, they would properly apply tu users and they will manage both smb AND unix accesses.

I have a sync_agent user to sync mobile phones to nas and an rsync user to accept pull requests for backups through ssh and not the insecure modules. So it needs a shell access with ssh cert and no pass. I also have a few users needing a shell access.

I properly secured a non root ssh access for the rsync user using sudo and a locked authorized_keys command pointing to a shell script.

In anycase, the way acls are implemented is buggy. And the way you suggest leaves a hole if a user needs shell access. The NAS is not sold as "Home only", so no excuses to leave it unfinished by Netgear. Hope it gets fixed.

Any Netgear tech we can ping ?

Message 8 of 14
StephenB
Guru

Re: Shares user and and group permissions

FWIW, when I set file permissions so that the group smb_enfants_ro is read-only in the GUI, I also end up with read-only access for enfants2.  I did not set any permissions for enfants.  I confirmed first that with network access also set with the group having only read access - and then confirmed it again with network access giving everyone rw access.

 

The linux ACL for the each file in the folder looks like this:

root@NAS:/data/enfants2# getfacl *
# file: FileAccess.png
# owner: admin
# group: admin
user::rwx
user:admin:rwx
user:guest:rwx
group::rwx
group:admin:rwx
group:guest:rwx
group:smb_enfants_ro:r-x
mask::rwx
other::---

This file was copied into the share from windows previously with admin credentials.

 

The linux ACL for the share itself looks like this:

root@NAS:/data/enfants2# getfacl .
# file: .
# owner: guest
# group: guest
user::rwx
user:admin:rwx
user:guest:rwx
group::rwx
group:admin:rwx
group:guest:rwx
group:smb_enfants_ro:r-x
mask::rwx
other::---
default:user::rwx
default:user:admin:rwx
default:user:guest:rwx
default:group::rwx
default:group:admin:rwx
default:group:guest:rwx
default:group:smb_enfants_ro:r-x
default:mask::rwx
default:other::---

The share is owned by guest/guest, and folder group and folder owner both are set to rw access.  

 

Note I did not attempt to apply file permissions from Windows - I set them for the share using the web ui.


@chopin70 wrote:

Any Netgear tech we can ping ?


You can loop in the mods - @JohnCM_S and @Marc_V 

Message 9 of 14
chopin70
Virtuoso

Re: Shares user and and group permissions

Wired,

In my case and above test, the File Permissions applied only at group level in the GUI did not propagate to the users in linux shell mode.

Furthermore, changing File Permissions in GUI did not propagate them to the ACLS. It is rather the "Network TAB" in my case that did propagate the ACLS permissions to Windows 10 ACLS.

 

As shown in my above screeshots, the user teddy still got r/w permissions and could delete tommy's owned folder at the root of the freshly created office share which is just amazing and should never happen as far as I know.

 

Anyway, maybe there is an inconsitent bug in GUI that causes this ?

My advise is to ensure all permissions are properly propagated to windows 10 ACLS. Once verified, to only apply them from windows 10 and to verify that they properly apply to the shell access, either you are using it or not for security reasons.

 

 

 

Message 10 of 14
StephenB
Guru

Re: Shares user and and group permissions

It might be worth posting the linux ACL (which I am not seeing in your images).  The acl in my previous post was examined with network access set to everyone rw, and file permissions restricting access to the group to ro.  AFAICT that did propagate correctly.

 

Testing with ssh:

enfants@NAS:~$ cd /data/enfants2
enfants@NAS:/data/enfants2$ ls -al
total 100
drwxrwx---+ 1 guest guest    82 Nov 15 19:43 .
drwxr-xr-x  1 root  root    530 Nov 12 19:20 ..
-rwxrwx---+ 1 admin admin 36981 Nov 12 19:12 FileAccess.png
-rwxrwx---+ 1 admin admin 27040 Nov 12 19:11 NetworkAccess.png
enfants@NAS:/data/enfants2$ rm NetworkAccess.png
rm: remove write-protected regular file 'NetworkAccess.png'? y
rm: cannot remove 'NetworkAccess.png': Permission denied

 

Message 11 of 14
chopin70
Virtuoso

Re: Shares user and and group permissions

I will test later again with a new share

Meanwhile: can you hint me how to make the forum accept images like you did ? I tried png, jpg, resize image, make it public... it never works. That way my next post will be easier to look at

Message 12 of 14
StephenB
Guru

Re: Shares user and and group permissions


@chopin70 wrote:

Meanwhile: can you hint me how to make the forum accept images like you did ? 


Unfortunately I don't have a good suggestion there - I've seen several other posts recently where the images didn't come out consistently.  All I did was use the photos tool in the toolbar.

 

I have a couple of elevated privileges as a superuser, which might account for why mine rendered correctly.  Images often do need to be flagged for mod approval, but recently I've seen some that failed to render even though they were approved.  So I am thinking there was a recent change to the forum software, and there might be a bug.

Message 13 of 14
Sandshark
Sensei

Re: Shares user and and group permissions


@StephenB wrote:


Unfortunately I don't have a good suggestion there - I've seen several other posts recently where the images didn't come out consistently.  All I did was use the photos tool in the toolbar.

Up until very recently, I lost the Photos tool for many months, but now it's back.  I know some, including much newer users than I, have always had it.  So, maybe there are some who still don't or have not noticed they do now have it.

 

Message 14 of 14
Top Contributors
Discussion stats
  • 13 replies
  • 2326 views
  • 4 kudos
  • 3 in conversation
Announcements