Restrict access to one share

[Avro]

HI;

Running 9.3 as a home NAS. I have multiple 'shares' that correspond to mapped network drives on my PC. In the house, I also have two LANs, one for the important stuff, one for guests and other things I don't fully trust. Both are managed through a separate gateway machine.

I recently purchased an Android TV box and have it connected to the guest LAN. I'd like to give it access to my media files (music, etc.) on the FreeNAS server, but without having the TV box connected through the private LAN. So, I configured the second NIC on the FreeNAS server and plugged it into the guest LAN. I also created a user account for the Android device.

So far so good. I can used a File Explorer app on the TV box to access the music and video files.

The trouble is that when I logged in, it (Android) could also access some of the other shares on the NAS. This is specifically what I don't want. In attempts to lock things down, went through each share on FreeNAS and restricted the entire guest LAN sub-net (192.168.x.x/24), except the media share, in which I specifically allowed the IP of the Android box.

Still working, and although I (...it) can 'see' the other shares - they show up as folders on the screen in the explorer app - the box can't access them.

Is there a simpler way? Can I not just create a 'user' that has read-only access to just one folder, and no access to (not even viewing) anything else? As it stands now, the Android box CAN delete files.

Thanks in advance!

 

[Mirfster]

Is there a simpler way? Can I not just create a 'user' that has read-only access to just one folder, and no access to (not even viewing) anything else? As it stands now, the Android box CAN delete files.

Sure, that would work fine. Is the "MediaShare" (if that is what it is called) a true Share or just a Folder ?

 

[anodos]

HI;

Running 9.3 as a home NAS. I have multiple 'shares' that correspond to mapped network drives on my PC. In the house, I also have two LANs, one for the important stuff, one for guests and other things I don't fully trust. Both are managed through a separate gateway machine.

I recently purchased an Android TV box and have it connected to the guest LAN. I'd like to give it access to my media files (music, etc.) on the FreeNAS server, but without having the TV box connected through the private LAN. So, I configured the second NIC on the FreeNAS server and plugged it into the guest LAN. I also created a user account for the Android device.

So far so good. I can used a File Explorer app on the TV box to access the music and video files.

The trouble is that when I logged in, it (Android) could also access some of the other shares on the NAS. This is specifically what I don't want. In attempts to lock things down, went through each share on FreeNAS and restricted the entire guest LAN sub-net (192.168.x.x/24), except the media share, in which I specifically allowed the IP of the Android box.

Still working, and although I (...it) can 'see' the other shares - they show up as folders on the screen in the explorer app - the box can't access them.

Is there a simpler way? Can I not just create a 'user' that has read-only access to just one folder, and no access to (not even viewing) anything else? As it stands now, the Android box CAN delete files.

Thanks in advance!

The best way to stop the android box from being able to delete files is to create a separate user for it, then fine-tune your permissions through File Explorer on a Windows computer (navigate to '\\hostname', right-click on share, click on properties then security) so that the android box's user has read-only access.

As far as making the actual shares invisible to unauthenticated users, you will have to enable and configure access-based enumeration on your samba shares. If you think hosts allow is complicated, then this may be a bit too much. :) Basically, you need to add the share-level auxiliary parameter 'access based share enum = yes', then use the sharesec command-line tool to define NT ACLs for your shares. You'll need to figure out the Security Identifiers (SIDs) for your users / groups before using sharesec. The easiest way to figure these out is to type "net usersidlist" (for users) and "net groupmap list" (for groups). The output of 'net usersidlist' will include several well-known SIDs (don't bother with these) as well as the actual user's SID (which will be the top one). You will need to remove the default NT ACL "S-1-1-0:ALLOWED/0x0/FULL" which corresponds to "everyone - full control", then add ACLs for your users / groups. Once this is all set up correctly, then your shares will only appear if they appear in the share's NT ACL (note that this is not the same as an NTFS ACL).

 

[Avro]

Thanks folks.

Mirfster - yes, 'media' is a true CIFS share.

I've been running this box now for almost three years, and until this point I've been the sole 'user'. I built it so that I could dispense with the variety of small/cheap NASs and USB drives that held my data backups. I haven't had to restrict access to anything more than the server as a whole until the Android box came along.

Rather than trying to remember to plug all the holes after the fact, I was just wondering if there's a better way to start off in the first place.

anodos - I appreciate the links in your signature line. Slow browsing is my next fix!