Permissions Problems - SFTP vs. CIFS

[scottroberts6]

Hello,

Running FreeNAS 8.3.0 Release, ZFS (Raid Z1) volume, 1 share (CIFS). I configured the share ("SERVER") per documentation for CIFS Anonymous/Guest access (guest:guest, 777 permissions, etc.) and all Windows clients have been having no problems at all.

Enter: SFTP.

One of our employees is working remotely now, so I did the following to setup SFTP access for him:
Create user:

User ID: 1002​

Username: (removed)​

Primary Group ID: wheel​

Home Directory: /mnt/SERVER​

Shell: scponly​

Name/Email: (removed)​

Disable password login: [UNchecked]​

Lock user: [UNchecked]​

Home Directory Mode: All are [CHECKED], R/W/X for Owner/Group/Other​

This user can log in via FileZilla all day long, download, upload, rename, etc (as we wanted him to be able to).

The problem: ANYTHING he uploads is set to "Read Only" for CIFS (Windows) clients, and they cannot change this permission or influence it in any way. The only remedy I've found is to go to the GUI and run "Change Permissions" and reset everything to guest:guest/777 for the whole drive recursively (a 20-minute process).

What can I do to fix this? I want there to be no difference between a file created/copied by a CIFS/Windows client and an SFTP user and no limitations for sharing/editing/deleting/etc.

Thank you for any insight you can provide!

 

[cyberjock]

Did you try playing with these settings?

 

[cyberjock]

One solution is to use a VPN instead. Then he can use CIFS like everyone else and your FTP problem goes away. Your VPN will provide the necessary security to protect the data in-transit.

 

[scottroberts6]

I am using SFTP not FTP, so those settings would (should) have no impact on this issue, but thank you for the suggestion.

I think VPN may be a bit much for our needs, and I'm trying to keep the complexities to a minimum.

 

[cyberjock]

Well, I got nothing then. :(

I didn't think you'd like the idea of VPN. But I'm not sure how else you'd fix your issue easily. :(

You could create a script that runs on a cronjob schedule to change the permissions on the entire directory every so often. Once an hour or so. But it would be very much a stop-gap fix and while it would work there would always be a lag time from when he copies a file to the server and when everyone else would be able to access it.

 

[scottroberts6]

I'm most interested in finding the root cause of the issue so I can solve it for good, as this is a production system. Thank you for the suggestions though.

Mainly, I feel that there must be an issue of ownership - the user who is logging in and uploading files is not the same as the CIFS "guest" user (obviously) and belongs to an entirely different group (wheel). Is there a way, either through SSL/filesystem/user settings, or through FileZilla configuration, to influence the ownership/permissions of the uploaded/created files? If I could cause all uploaded files to be given guest:guest ownership/777 perms (by default and without user input) that would likely solve the problem.

 

[cyberjock]

My guess is the sftp app is simply giving the files the same permissions that the app has. I'm not sure how(or if) you can change that, or if I'm even right.

 

[scottroberts6]

This issue continues to reappear and it is causing quite a few headaches for our users.

I am not sure how anyone else is solving the problem of remotely accessing files but I would really like to know if there is something else I can try (besides unsecured FTP or setting up VPNs).

Or is there some specific way I can configure SSH so that it requires the user to authenticate with username/password, but provides them the EXACT same credentials as CIFS?

 

[cyberjock]

Umm... CIFS authenticates with your applicable user information. SSH does the exact same thing. So they should be authenticating from the same credentials. Why do you think they don't?

 

[scottroberts6]

Because they are specifically setup to NOT do that...
CIFS is setup for anonymous user access. SFTP/SSH hopefully would never be configured as such.

My issues is trying to authenticate (i.e. limit) SSH/SFTP access with user accounts, while leaving CIFS open/anonymous. The SSH/SFTP seems to be overwriting the permissions for the entire volume. One moment it's owned by nobody/nogroup, 777; the SSH user logs in and copies some files over and all of a sudden the whole volume is owned by that user/group with very limited permissions (usually r/w for user, read only for group/other).

I *may* have solved the problem by setting the user's group to "nogroup" (same as the desired anonymous user/CIFS settings), contrary to the wiki's instructions to set the SFTP user's group to "wheel". We will see.

 

[SmallGuy]

Hello,
Several things on the fly:
-create a directory "SERVER" inside the dataset "SERVER"
-define your cifs share on this directory (not on the dataset)
-manage your desired permissions on this directory (Create a group with nobody + your sftp user and chown nobody:group for exemple, be imaginative...)
- chroot the sftp user on the dataset level (home directory for the sftp user)


Have a look on the 9.1.1 documentation wich define a sftp group where the sftp user has to belong. You will found also the correct owner/group and the permissions to apply on the dataset, and options (Match Group sftp...).

Good luck.