Set Permission to allow users to share a common folder & have private personal folder

[ProtoSD]

If you have 2 or more users that want to have private personal folders, but want to share a common folder that a certain 'group' of users have full common access to, this is a guide to start from. Note: This guide is based on FreeNAS 8.01 beta4 The folders here are for example only, the '/mnt/storage' should be replaced with the name of your volume which you can find by doing a 'df' from the command line on the FreeNAS system (using ssh to login). Look for the line that shows '/mnt/your-volume-name'.

DUE TO FORUM CONSTRAINTS YOU CAN NOW FIND THIS HOW-TO AT THE LINK BELOW:

General Permissions & Sharing folders between users

I'll still respond to questions here or there, but please read this entire thread before asking questions.






.

 

[lashfay]

protosd, Many thanks on your guide.

I have used this on my NAS. Just though I would let others know, if you have followed this guide and tried to connect to a windows share (CIFS) and you get an error 'Contact you admininstrator' or simmilar when trying to connect - just reboot your PC. I thought I was going crazy, re installed FreeNAS 3 times trying to get this to work. All I needed was a quick reboot.

Dave.

 

[gcooper]

I'm going to add some more info here about permissions since so many people don't understand them. I'll be explaining them from the command line and later try and tie that back into using the GUI. First, here's a screen shot that I'll use as a reference.

Let's start with the first 2 lines:

drwxr-xr-x 20 root wheel 512 Sep 23 19:36 ./
drwxr-xr-x 20 root wheel 512 Sep 23 19:36 ../

The first line with ./ is the directory/folder that you are currently set to & viewing files in.

The second line ../ is the parent directory, or the one that is above the current folder/contains the current folder.

The Owner of both is 'root' and the group is 'wheel'.
The group 'wheel' means that any USER that is a member of that group has the privileges of that group.

So above, any user belonging to 'wheel' only has 'read & execute' permissions.
This means they can list and read files.

Without the execute, a user would not be able to 'ls' (list) the files, or 'cd' to that folder.
With only 'read', a user could look at a file only if they knew the name of the file in that folder.

You can change the group that a FILE or DIRECTORY is a member of by doing:
'chgrp othergroup your-file' or with multiple files with 'chgrp othergroup *.jpg'

If you want to change the group for every file and directory in the current directory AND below it, you would do 'chgrp -R othergroup ./*'

ACEs/ACLs are really awesome, but make things a lot more complicated. It should be covered elsewhere, but if you want more refined permissions it should be done via ACEs/ACLs, as they can provide finer grained access for one or more users or groups.

 

[TDPsGM]

Using the GUI is this where the 'Datasets' come into play?

 

[ProtoSD]

Yes, datasets appear as subdirectories to your main volume, but datasets can have their own snapshots, mountpoints, permissions etc. They're great for compartmentalizing your data, and being able to have separate snapshots is nice because they're smaller and you can customize them to expire etc. separately.

 

[TDPsGM]

Thanks protosd.
I am doing lots of reading the last couple 2 days trying to get up to speed on this.
It is kinda like drinking from a fire hose and I am starting to get a few things confused.

Did I understand that it is not a good thing to have 2 "Windows_Shares" on the same volume you create?

When I tested the Datasets with a single share, and 2 users I was able to reproduce what you had described above. But what I was going for was to not have one user, browse the files of the other user.

It seems that I can do this by creating different 'Shares' and having the 'root' or 'path' (I'm still working on the proper terminology) of one of the share's being 'nested' deeper than the other.

ie: Guest account (or Share) path being rooted at: \Volume_1\Guest

and the Administrator of the Volume being rooted at: \Volume_1

Am I correct in my impression that this in not a good thing?

=============

A quick side question: I saw another post you made ( I am pretty sure it was you ) regarding the setup of 'users', but I just can't find it. It had to do with the checking of disable password and home directories. Do you have the link per chance? Thanks.

 

[ProtoSD]

Did I understand that it is not a good thing to have 2 "Windows_Shares" on the same volume you create?

I'm not sure where you saw that, but I'm not aware of anything. I have several Windows shares on my volume without any problems.

When I tested the Datasets with a single share, and 2 users I was able to reproduce what you had described above. But what I was going for was to not have one user, browse the files of the other user.

I'm not sure I understand what your asking here. You want 2 users, but only 1 of them should be able to see both users directories?

It seems that I can do this by creating different 'Shares' and having the 'root' or 'path' (I'm still working on the proper terminology) of one of the share's being 'nested' deeper than the other.

Anything you can do by nesting, you should be able to do un-nested.

Am I correct in my impression that this in not a good thing?

It depends on what you are trying to do. There's nothing wrong with it.

A quick side question: I saw another post you made ( I am pretty sure it was you ) regarding the setup of 'users', but I just can't find it. It had to do with the checking of disable password and home directories. Do you have the link per chance?

I have a vague recollection of that post, but I'd have to search for it. I'll try to post back later and see if I can elaborate on some stuff, I haven't had my 'coffee' yet and I've got a busy day ahead.

 

[TDPsGM]

****re: Did I understand that it is not a good thing to have 2 "Windows_Shares" on the same volume you create?****

I'm not sure where you saw that, but I'm not aware of anything. I have several Windows shares on my volume without any problems.

Ok, I thought I might have got that wrong. Thanks.

****re: When I tested the Datasets with a single share, and 2 users I was able to reproduce what you had described above. But what I was going for was to not have one user, browse the files of the other user.****
I'm not sure I understand what your asking here. You want 2 users, but only 1 of them should be able to see both users directories?

Basically . . . yes (2 or more users, but for simplification lets call it 3 users).
I am trying to give each user a place that they can access to store files.
User1 will be the administrator who can see and access everything.
User2 has his/her set of files
User3 has his/her set of files

I created a Volume called:
FreeNAS_Volume_1

I then created a dataset
/mnt/FreeNAS_Volume_1/user2
and assigned the same mount point to user2
and a share called; user2

I then created a dataset
/mnt/FreeNAS_Volume_1/user3
and assigned the same mount point to user3
and a share called; user3

I then created a share called Administrator with a mount point:
/mnt/FreeNAS_Volume_1
and assigned the same mount point to user1

If I login to the share for user 2, I can get in ok, but then I can back out of it and click on the administrators share and "see" all of the datasets for both user 2 and user3. I am not sure what logging into one share would let me 'into' view another shares files.

I can click on any of the shares 'before' I log into user2's share and each one ask me for the login info, but like I said, once you log into one, you can browse the others. This is what I am trying to avoid.

Hopefully that makes sense.

Anything you can do by nesting, you should be able to do un-nested.

I figure it has to do with configuring permissions for users and groups, but I am having issues with that too.
For example when I change the permission set for a single user (or a group) ALL of them get changed! . . . I don't get it.

****re: Am I correct in my impression that this in not a good thing?****

It depends on what you are trying to do. There's nothing wrong with it.

ok, thanks

I have a vague recollection of that post, but I'd have to search for it. I'll try to post back later and see if I can elaborate on some stuff, I haven't had my 'coffee' yet and I've got a busy day ahead.

If I remember correctly, there was something about not setting the "Home Directory" right away and leaving it to '/nonexistent' and something about 'disable password logins' and possibly even about the 'Primary Group' being set to nobody.

I don't know if that helps much. I have been doing as much reading as I can on everything and it is getting a touch jumbled up.

Thanks for the help!

 

[ProtoSD]

Hi TDPsGM,

Here is the link to the thread you were asking about:
http://forums.freenas.org/showthread.php?1541-odd-files-in-my-media-folder

I need some more time to look at what you're trying to do and post the details. Hang in there cause

It is kinda like drinking from a fire hose and I am starting to get a few things confused.

This is kind of what I'm feeling like trying to answers questions right now!

If anyone else wants to jump in and help @TDPsGM please feel free! There are always multiple solutions to stuff in Unix and I'm more of a command line guy than a GUI guy.

 

[ProtoSD]

Ok, I thought I might have got that wrong. Thanks.

Basically . . . yes (2 or more users, but for simplification lets call it 3 users).
I am trying to give each user a place that they can access to store files.
User1 will be the administrator who can see and access everything.
User2 has his/her set of files
User3 has his/her set of files

I created a Volume called:
FreeNAS_Volume_1

I then created a dataset
/mnt/FreeNAS_Volume_1/user2
and assigned the same mount point to user2
and a share called; user2

I then created a dataset
/mnt/FreeNAS_Volume_1/user3
and assigned the same mount point to user3
and a share called; user3

I then created a share called Administrator with a mount point:
/mnt/FreeNAS_Volume_1
and assigned the same mount point to user1

If I login to the share for user 2, I can get in ok, but then I can back out of it and click on the administrators share and "see" all of the datasets for both user 2 and user3. I am not sure what logging into one share would let me 'into' view another shares files.

I can click on any of the shares 'before' I log into user2's share and each one ask me for the login info, but like I said, once you log into one, you can browse the others. This is what I am trying to avoid.

Hopefully that makes sense.


I figure it has to do with configuring permissions for users and groups, but I am having issues with that too.
For example when I change the permission set for a single user (or a group) ALL of them get changed! . . . I don't get it.

• Create another dataset for your Administrator
  
  
• Make a group for every user, it can be the same as the username
  
  
• Make sure each user is only a member of their own group and not a member of any other group.
  (Account-> Group -> View All Groups)
  
  
  
  
  
  
  
• (chmod -R 770 / chgrp -R group) on each dataset (Owner RWX, Group RWX) by using the GUI like below.
  
  
  
  
  
  
  
• Make Administrator a member of both of user's groups as well as it's own.
  
  
• Repeat step 4 for Administrators dataset

 

[TDPsGM]

Thanks Protosd for all the help!

I was away from home and just got back and will give this a try.

While away I reread the manual and came across 2 things that may be hanging me up here.

#1. Under the "Account Configuration" section is states:

2. Create a user account for every user in the network where the name of each account is the same as a logon name used on a computer

Is there no way to create a generic "Username" and "Password" that can be used to log into a particular Share/Dataset that is not tied to the computer you are using? That is what I am going for.

#2. The "How To Videos" suggest the Type of ACL should be Unix and not windows. I do have Ubuntu on a couple of machines and so it was my understanding that I should use Unix if everything on the network is not windows based.


This may be out of context, but at the beginning of this thread you spoke of using command line to make changes. In the same "Account Configuration" section it states:

NOTE: It is important to use the GUI for all password and account management. FreeNAS™ uses a configuration database to store these settings. While you can use the command line to modify passwords, users, and groups, changes made at the command line are not written to the configuration database. This means that any changes made at the command line will not persist after a reboot and will be overwritten by the values in the configuration database during an upgrade.

Has this changed at all?

Thanks again for your help.

 

[TDPsGM]

• Create another dataset for your Administrator

• 
  
  Do I have to create the dataset - can I not have the Administrators access point be /mnt/FreeNAS_Volume_1?
  
  That way I can (as the administrator) drill down into the other datasets?

 

[gcooper]

I'm not sure where you saw that, but I'm not aware of anything. I have several Windows shares on my volume without any problems.

There's nothing in Samba restricting you from doing that, and there's nothing in FreeNAS that does that either. It's not necessarily the best use of resources, but there's nothing preventing one from doing this.

I'm not sure I understand what your asking here. You want 2 users, but only 1 of them should be able to see both users directories?

Yes. That's possible as long as the permissions are set appropriately.

Anything you can do by nesting, you should be able to do un-nested.

Yes.

It depends on what you are trying to do. There's nothing wrong with it.

Indeed. I've seen very permissive setups done by users s.t. other users could touch/modify files in their directories in a collaborative manner -- as protosd said, it all depends.

 

[gcooper]

Thanks Protosd for all the help!

I was away from home and just got back and will give this a try.

While away I reread the manual and came across 2 things that may be hanging me up here.

#1. Under the "Account Configuration" section is states:

Is there no way to create a generic "Username" and "Password" that can be used to log into a particular Share/Dataset that is not tied to the computer you are using? That is what I am going for.

#2. The "How To Videos" suggest the Type of ACL should be Unix and not windows. I do have Ubuntu on a couple of machines and so it was my understanding that I should use Unix if everything on the network is not windows based.

This may be out of context, but at the beginning of this thread you spoke of using command line to make changes. In the same "Account Configuration" section it states:

Has this changed at all?

Apart from some volume / dataset management bits, no. Please realize that inventing code to grab info from the underlying system instead of intercepting calls makes things more difficult to implement, test -- and most of all maintain longterm. I think people misunderstand this important point when they gripe about us having middleware to manage this stuff, without understanding the motivation for it.

The same thing ultimately applies for FreeNAS 7 I'm sure.

 

[TDPsGM]

• Create another dataset for your Administrator
  
  
• Make a group for every user, it can be the same as the username
  
  
• Make sure each user is only a member of their own group and not a member of any other group.
  (Account-> Group -> View All Groups)
  
  
  
  
  
  
  
• (chmod -R 770 / chgrp -R group) on each dataset (Owner RWX, Group RWX) by using the GUI like below.
  
  
  
  
  
  
  
• Make Administrator a membor of both of user's groups as well as it's own.
  
  
• Repeat step 4 for Administrators dataset

Ok, I started clean (fresh install of FreeNAS 8) as I wanted to make sure my thrashing around while playing wasn't going to affect anything.

Thanks again Protosd! It worked perfectly, and as I had hoped.

I am still not sure why the manual says:

Under the "Account Configuration" section it states:
2. Create a user account for every user in the network where the name of each account is the same as a logon name used on a computer

I am not entirely happy with just using it blindly as it opens me up to potentially stubbing my toe in the future (I try to understand 'why' it is I am doing something). For now I am comfortable with it.
I can log in from any computer on the network with just the username and password for the share(s) that have been given permission to that user.

 

[TDPsGM]

There's nothing in Samba restricting you from doing that, and there's nothing in FreeNAS that does that either. It's not necessarily the best use of resources, but there's nothing preventing one from doing this.

Thanks for weighing in on this gcooper!

Could you clarify this for me?

I'll take a stab at it because I was wondering about setting it up this way, and maybe this is what you meant (I don't have the time to test my theory just yet but her it goes):

1. Have 1 Share on the Volume.

2. Set up the datasets within that volume

3. Assign permissions to those datasets

4. Set the 'Home Directory' to those data sets in each users "Home Directory" field.

Did it get that right? I am assuming then every user can log into that share with their own unique username and pw and be off the the races (so to speak).

I'll play with it later tonight, but am I on the right track with what you were inferring?

 

[Visseroth]

I have to ask because I am just not finding it.
Where is the "Change Permissions" option in the GUI so that I can set user permissions in a share or group?

 

[ProtoSD]

Yeah, they can be a little tricky to find if you're not used to working with the GUI. They're under Storage -> Volumes -> View All Volumes
For each mountpoint there's an icon on the right that looks like a little stack of disks with a 'wand' or something over the top of it.

 

[Visseroth]

Ahh, I see, that is for changing permissions for the volume. I'm wanting to change the permissions for a folder so I can set a user to read only and set others according to what they should be.
I don't see a option in the gui for that.
For instance I have a media user. This user has access to my HomeShares folder but I want that user set to read only.

 

[ProtoSD]

Hmmm, in that case the GUI can't do that, at least not yet. I'm not sure what the plans are for adding that. You'll have to reference the black screenshot above and make those changes from the command line. Permissions can be really difficult for beginners to understand and to explain in a forum like this. Take a look at YouTube, there are a ton of videos explaining permission for Unix/Linux.