Dataset/Share Permissions - Dummies Guide - still can't get it right

[gwaitsi]

Still struggling to understand how to get my shares/dataset permissions correct.

- I have a dataset "working" which she me fully accessible to myself only (not viewable from anyone else) and accessed via smb on both linux and windows clients
- i have a subdirectory "user1_backup" that I want to share as read only to a single user i.e user1
- ACLs show as NFSv4

Storage
- I create a dataset "working" with owner/group = me:me
- I set strip ACLs and set to default NFS4_RESTRICTED
- that shows me two ACLs
1) owner@me FULL
2) group@me Modify
Shares
- I create a share "nas_working" which shows same permissions as storage above and owner/group me:me

Windows: me can map "working" - write dir/files - correct (but windows permission show as special, not Full)
Linux: me can map "working" - write dir/files - correct (but owner shows as me:root)
Windows: user1 one can map "working" but cannot access - correct

- I create a share "user1_backup" to subdirectory of "working" dataset
- I set strip ACLs and set to default NFS4_RESTRICTED
- that shows me two ACLs
1) owner@me FULL
2) group@me Modify
- I add user, user1 with full permissions and apply recursively (warns no execute on "Working")
- I add user1 with Traverse to "Working" share
- I add user, user1 with full permissions and apply recursively

Windows: me can map "user1_backup" - write dir/files - correct (but windows permission show as special, not Full)
Linux: me can map "working" - write dir/files - correct (but owner shows as me:root)
Windows: user1 one can map "user1_backup" but cannot access - incorrect.

What am I doing wrong?
Why do the windows permissions show as Special rather than the correct ones?
Why does the linux user show the group as root and not as me?

 

[indivision]

I'm pretty sure user1 is not working because they do not have Execute permissions on "working" as the warning says.

 

[gwaitsi]

I'm pretty sure user1 is not working because they do not have Execute permissions on "working" as the warning says.

So, you are right.
- on the "working" dataset, I add user1
- I need to use advanced, as Basic - Traverse doesn't seem to work.
- I set "Read Named Attributes", "Execute", "Read Attributes", "Read ACL", "sync" and apply recursively. Can't read "Working" or "user1_backup".
- I set the "Read Data" on "Working" and apply recursively, user1 can read on both "Working" share and "user_backup"
- I unset the "Read Data" on Working and not recursively, i cannot view "Working" but can "user_backup"

In summary,
which of these do I need?
"Read Named Attributes", "Execute", "Read Attributes", "Read ACL", "sync"

 

[indivision]

My apologies, I don't really follow what's going on with this list of notes.

I didn't use ACL in my configuration. But, I discovered long ago that if a parent directory didn't pass on execute privileges, a user or group would not be able to fully access sub-directories under that parent.

It was kind of frustrating because I really didn't want to give any perms on the parent directory. But, I've learned to live with it. :)

 

[gwaitsi]

My apologies, I don't really follow what's going on with this list of notes.

I didn't use ACL in my configuration. But, I discovered long ago that if a parent directory didn't pass on execute privileges, a user or group would not be able to fully access sub-directories under that parent.

It was kind of frustrating because I really didn't want to give any perms on the parent directory. But, I've learned to live with it. :)

I got it working, with your tips, thanks. just needs "execute" and no other rights
Bit frustrated that it does not appear to be windows compatible.
i.e. via windows, the rights show as being special rather than actual settings they should be. But it works.
thx

 

[indivision]

The Windows settings don't match 1:1 for me either. I don't have a technical explanation. But, it hasn't been much of a problem since I always have access to the server where I can manage the perms directly.

It seems like that would only become a more important issue if you were splitting shares among many users who needed to directly manage permissions themselves.

 

[winnielinnie]

The people who originally designed permissions for NTFS were devil-worshipping sadists. True story.

 

[indivision]

Hah!

 

[anodos]

So, you are right.
- on the "working" dataset, I add user1
- I need to use advanced, as Basic - Traverse doesn't seem to work.
- I set "Read Named Attributes", "Execute", "Read Attributes", "Read ACL", "sync" and apply recursively. Can't read "Working" or "user1_backup".
- I set the "Read Data" on "Working" and apply recursively, user1 can read on both "Working" share and "user_backup"
- I unset the "Read Data" on Working and not recursively, i cannot view "Working" but can "user_backup"

In summary,
which of these do I need?
"Read Named Attributes", "Execute", "Read Attributes", "Read ACL", "sync"

TRAVERSE is sufficient to access directly (it's execute | read attributes | read extended attributes | read ACL). If you want to click through a path in File Manager you'll need READ permissions.

 

[anodos]

I didn't use ACL in my configuration. But, I discovered long ago that if a parent directory didn't pass on execute privileges, a user or group would not be able to fully access sub-directories under that parent.

It was kind of frustrating because I really didn't want to give any perms on the parent directory. But, I've learned to live with it. :)

Right, that's how permissions work on Unix-like operating systems. Same is case for MacOS for what it is worth. Windows has a non-default security setting (for users) to enforce traverse checks (bypass-traverse-checking).

 

[anodos]

It's also important to note that SMB clients can change permissions (this is basically true of any file sharing protocol). If you want more Windows-like behavior (and more consistency in how permissions are managed) then you should set the ZFS dataset's aclmode to RESTRICTED (this is default if you create the dataset with the SMB preset).