How to edit CIFS permissions from the CLI

[anodos]

Note: the following applies to FreeNAS 9.X.

I'm testing various ways of managing ACLs without using Windows "File Explorer". This is mainly for the benefit of users who don't have a windows computer available to initially set up CIFS permissions. As I test, I will update this post accordingly.

At this point, I believe the best way to manage ACLs on samba shares (apart from Windows File Explorer) is "smbcacls". smbcacls is a pretty good CLI equivalent of the security tab in explorer, and it appears for the most part to set ACLs that windows likes. It operates through SMB as opposed to setfacl (which has to be run locally on the UNIX system). The commands can therefore also be used to configure ACLs on a real windows server.

smbcacls

At present, smbcacls lacks the ability the recursively set permissions through a file tree. If you don't have a windows PC available to configure permissions when setting up your CIFS shares, you can use smbcacls to add the required access control entries prior to copying data.

Add an Access Control Entry with "Full Control"

Code:

smbcacls //<ip-address>/<share name> / -U <user name> --add ACL:<user>:type:flags/permissions
smbcacls //192.168.24.42/TestShare / -U root --add ACL:TestUser:ALLOWED/3/FULL

The above command will add an ACE for the user "TestUser", grant full control and apply to the existing folder and all subdirectories.

"Flags" pertain to inheritance. "3" is probably what you want here. The value can be either represented in hex or decimal, not all values between 0-15 are valid.

Valid values for "permissions" include "READ", "CHANGE", "FULL".

View Existing Access Control Entries

Code:

smbcacls //<ip-address>/<share name> / -U <user name>
smbcacls //192.168.24.42/TestShare / -U root

View Existing Access Control Entries in Numeric (SID) Format

Code:

smbcacls //<ip-address>/<share name> / -U <user name> --numeric

smbcacls //192.168.24.42/TestShare / -U root --numeric

You can view the manpage for smbcacls here: https://www.samba.org/samba/docs/man/manpages/smbcacls.1.html

At present it appears that smbacls does not have a "recursive" switch. This limits its usefulness. For the past few years Noel Power has been working on adding inheritance propagation to smbacls. I believe this contains the latest work on it. See discussion here: http://marc.info/?l=samba&m=138675848923962&w=2
and here: http://marc.info/?l=samba-technical&m=138376145406579&w=2

I believe there are scaling issues (performance isn't great) when resetting permissions on tons of files. In these situations, it's probably best to use a windows client (unless you feel like compiling Noel Powers version of smbcacls with the built in http://cgit.freedesktop.org/~noelp/noelp-samba/log/?h=smbcacls_review#4).

 

[anodos]

winacl
Winacl is a command line program that may be invoked when users make permissions changes in the FreeNAS webgui (like 'set default permissions'). It works quickly (probably significantly faster than executing 'find -exec setfacl'). It also can set permissions recursively. It must be invoked through the command line of the freenas server (typically through an SSH session) as opposed to smbcacls which operates through SMB. Depending on the size of the dataset, it may take a while to complete and so using tmux is a good idea if doing this to a large dataset. I have only been able to figure out the syntax for resetting permissions.

-O <User>
-G <Group>
-a Perform an action. Options are "append", "update", "remove", "reset"
-r Recursive
-p Path
-v Verbose
-f Restrict to files
-d Restrict to directories
-x Remove DOSATTRIB EA. By default samba will store DOS attributes (system | archive | readonly | hidden) as EAs. This will nuke them.

Example:

Code:

winacl -O <User> -G <Group> -a reset -r -p <path>
winacl -O root -G wheel -a reset -r -p /mnt/Tank/TestShare

This resets permissions is the CLI equivalent of clicking "apply default permissions" in the FreeNAS webgui.

 

[anodos]

setfacl

Setfacl can be performed recursively by running command find /path/to/directory - exec setfacl <options> {} \;
for example:

find /mnt/DonkeyFarts/Shared -exec setfacl -x everyone@:::allow {} \;
Remove everyone@ ace on a share.

find /mnt/DonkeyFarts/Shared -type d -exec setfacl -m g:peopleilike:full_set:fd:allow {} \;
Grant "peopleilike" full control on a share.

 

[Cheejyg]

winacl
Winacl is a command line program that may be invoked when users make permissions changes in the FreeNAS webgui (like 'set default permissions'). It works quickly (probably significantly faster than executing 'find -exec setfacl'). It also can set permissions recursively. It must be invoked through the command line of the freenas server (typically through an SSH session) as opposed to smbcacls which operates through SMB. Depending on the size of the dataset, it may take a while to complete and so using tmux is a good idea if doing this to a large dataset. I have only been able to figure out the syntax for resetting permissions.

-O <User>
-G <Group>
-a Perform an action. Options are "append", "update", "remove", "reset"
-r Recursive
-p Path
-v Verbose
-f Restrict to files
-d Restrict to directories
-x Remove DOSATTRIB EA. By default samba will store DOS attributes (system | archive | readonly | hidden) as EAs. This will nuke them.

Example:

Code:

winacl -O <User> -G <Group> -a reset -r -p <path>
winacl -O root -G wheel -a reset -r -p /mnt/Tank/TestShare

This resets permissions is the CLI equivalent of clicking "apply default permissions" in the FreeNAS webgui.

Is it possible to simulate the "Enable inheritance" button in Windows with winacl or smbcacls?

 

[anodos]

Is it possible to simulate the "Enable inheritance" button in Windows with winacl or smbcacls?

Is it possible to simulate the "Enable inheritance" button in Windows with winacl or smbcacls?

Recursively change permissions on existing files/folders? Nope.

 

[Cheejyg]

Recursively change permissions on existing files/folders? Nope.

Well you can recursively change permissions on existing files/folders with

Code:

find /mnt/pool/ -exec winacl -a update -O newUser -G newGroup -p {} \;

 

[anodos]

Well you can recursively change permissions on existing files/folders with

Code:

find /mnt/pool/ -exec winacl -a update -O newUser -G newGroup -p {} \;

Winacl has a -r switch. No need for find. I don't believe it generates new nontrivial ACLs. It just manipulates the owner@ and group@ aces (at least the last time I looked at it).

I believe this will change in FN10, which I believe will introduce an acl editor (I may be wrong about this).

 

[Cheejyg]

Winacl has a -r switch. No need for find. I don't believe it generates new nontrivial ACLs. It just manipulates the owner@ and group@ aces (at least the last time I looked at it).

I believe this will change in FN10, which I believe will introduce an acl editor (I may be wrong about this).

Oh, I needed to find because SMB permissions are not inherited properly if they are moved from an external folder.

E.g. transmission downloads a file to ./Downloads (transmission R/W, ownCloud R/W),
ownCloud moves the file from ./Downloads to ./Videos (Everyone R, owncloud R/W, plex R/W),
the file would be owned by transmission and have (transmission R/W, ownCloud R/W),
instead of the permissions (Everyone R, owncloud R/W, plex R/W) it should inherit from ./Videos,
which makes it such that Everyone and plex cannot read the file.

So I needed to

Code:

find ./Videos -user transmission -exec winacl -a append -O plex -p {} \;

as I didn't want it to recursively mess up the other permissions for other files/folders.

But thanks anyway!

EDIT: It's only a temporary solution to allow Everyone and plex to access the file downloaded by transmission as winacl gives Full permission to the user it's adding/appending. I would be using Windows to set proper permissions again when I get access to the server.