Set Permission to allow users to share a common folder & have private personal folder

[Visseroth]

Thanks, I'm doing that now and thanks for turning me in the right direction. The video link you gave me (http://www.youtube.com/watch?v=4U7PxdAwvM8) really helps me understand how to set permissions better.
Thanks a ton!

 

[arjan24]

Very informative thanks FreeNAS team...

 

[digitaltrash]

wonderful explanation, protosd. Thank you :) Precisely what I needed to know.

Just a few questions:
1. Is there a limit on how many users can be setup this way? I may have just about a 100 users.
2. Could the "Storage" share be hidden when alpha/beta user logs in? I enabled the home folders, and just want them to see their own folder show up when they login (plus the common share floder).
3. Is there a way to save this configuration to a file when all the settings are done? I'd like to keep a backup in case my usb melts :)
4. How much coffee do you guys drink?

 

[ProtoSD]

wonderful explanation, protosd. Thank you :) Precisely what I needed to know.

Just a few questions:

Appreciate the feedback Digitaltrash

1. Is there a limit on how many users can be setup this way? I may have just about a 100 users.

There should be no problem adding 100 users like this, but there could be other problems. You'll need more RAM the more simultaneous users you have. You'll probably need to do some tuning, sysctl.conf & loader.conf. I'm not sure if FreeNAS has other limitations, but I think it should be ok. Normally you would let a server handle the user part and then the server would handle accessing the NAS.

How many users will be online at the same time?
Will they possibly be attempting to access the same files simultaneously?

2. Could the "Storage" share be hidden when alpha/beta user logs in? I enabled the home folders, and just want them to see their own folder show up when they login (plus the common share floder).

I'm not sure what you mean here. The storage can be eliminated if you only want users to access their own files, but it can't just disappear when someone logs in.

3. Is there a way to save this configuration to a file when all the settings are done? I'd like to keep a backup in case my usb melts :)

Yup, read the docs, and you'll see Under System->Settings "Save Config". That won't save changes you make to loader.conf or sysctl.conf (Yet anyway, maybe 8.1).

4. How much coffee do you guys drink?

Not a lot, but more is always good ;-)

 

[Visseroth]

You can hide shares however and then just make them a mount point or a shortcut on the users desktop. No one would otherwise be able to access the folder unless they knew exactly what the name and the path was.
I did that on mine by disabling "Browsable to Network Clients" under the CIFS share that I have created. I also double checked the permissions so that if anyone did find it that they wouldn't have access to it unless they were supposed to. 771=User has full access, group has full access, others have only executable access. Typically you'll use either 770 or 700.
BTW big thanks goes out to protosd for educating me on how to understand permissions, it's been a HUGE life saver!

 

[Mirus]

Hello !
Thank you ! Everything is working well.
Juste a question : on each computer, I can see the owner folder (for example "beta") and another folder named "homes". I can't find this folder on Freenas ; I think it's not a folder but an alias.
Is ther a solution to erase this alias ?
Thank you,
Mirus

 

[digitaltrash]

Thank you for your reply, protosd :D

... You'll need more RAM the more simultaneous users you have.

I am planning on getting 32-64GB dedicated Xeon server built for this. I've read somewhere that with ZFS, one should consider getting a gig of memory per tb of storage, as a rule of thumb. I could have as much as 30-50 simultaneous users logged in, but not reading/writing to the same files/folders. I'm thinking 12TB storage tank should be enough. Now I need to read up on link aggregation and a good intel controller, any suggestions where would be a good start?

You'll probably need to do some tuning, sysctl.conf & loader.conf

Thanks for the heads up! Will search the forum for these settings.

The storage can be eliminated if you only want users to access their own files, but it can't just disappear when someone logs in.

That's precisely what I was asking. It would be nice for a user to log in to the contents of his/her home directory upon just entering \\freenas in IE, nothing else.

Another question came up: Is there any way to log-in as a different user on a W7 machine, after someone has already logged-in? It seems that if I log-in as user A, I remain logged-in as user A until I log-off from windows (I'm using freenas user/pass combination that differs from windows user/pass combo) and there is no way to log-out. Sure, one can use the \\IP_here instead of netbios name, but I feel that there must be a simpler and cosher way of doing this. Any ideas?

Thanks for all your responses, again :)

 

[Visseroth]

Mirus: I'm not sure what exactly you're referring too but if there is a alias named "Homes" then it is probably a user. If log into SSH and look at your mounted hard drives, ie. /mnt/storage you should see any folders that have been created. Your best bet in creating and managing folders is from the command prompt via SSH. For example I have folders named Home, User, Offsite. I set the permissions of these folders from command using chmod and selecting the groups for these folders using chgrp (groups have to be created first to set your groups). Once your folders have been created you can create your shares using your gui and then share them to the network. By using groups you can choose who has and doesn't have access to folders by adding or removing them from groups via the gui.

Digitaltrash: 32-64GB of RAM should be more than enough. You can also double check to see what your memory usage is via the gui under reporting and if you don't have enough RAM add more at a later date. You can do this by keeping an eye on your swap usage. If you have to much swap you may need more RAM. I'm running 8GB with 12TB of storage and for 3 to 6 users it's more than enough.
A good server intel controller will do the trick for link aggregation. I'm using dual onboard NIC on my Supermicro X7DBN server. They use a e1000 chipset and link aggregation works great.
I have to agree that it would be GREAT if folders could be hidden when users log in. I would LOVE this feature too and I think we should make it a suggestion on the forum to bring it to the developer's attention. Meanwhile what you could do if you wanted to is make the folders not browsable for those you want hidden (You can do this via the gui by clicking on your share) and then when you map the drives via script on a domain controller or when you map the drive directly from that person's desktop type the path in directly. Just because it's not browsable doesn't mean it's not accessible. For instance I have a folder that is not browsable but is it available but I have to type the path in and the user that wants to access it has to have permission otherwise the user would get "access denied.
In regards to logging in via a different user via W7, to my knowledge there is not besides logging off and back in. Besides doing such things posses security vulnerabilities from the desktop itself because if you are the admin and someone else sat down at that desktop they now have administrative rights to those files and that is not good practice.

 

[ProtoSD]

Sorry guys, I'm spread a little thin and can't answer as easily. Thanks for jumping in Visseroth, appreciate the help.

Mirus: I'm not sure what exactly you're referring too but if there is a alias named "Homes" then it is probably a user.

There is a setting in CIFS to enable a 'Homes' directory, that might be what you are seeing. If you don't want it, just turn it off in the CIFS settings.

I have to agree that it would be GREAT if folders could be hidden when users log in.

I'm not sure what you guys are referring to here. It sounds like users are able to see a folder and then after logging in it disappears, that doesn't make sense so I'm sure there's another explanation. What is in the hidden folders/ What the purpose of having them?

In regards to logging in via a different user via W7, to my knowledge there is not besides logging off and back in.

There is *some* way to clear the cache on windows and switch users, but it's a hack. It's been posted here in the forums, but I'm not sure where.

 

[Visseroth]

I'll try and explain this as best I can.
What we were talking about was a set of hidden folders that would only show up for the user if the user has permission to access them. All other folders that the user does not have permission to access would be hidden there by eliminating clutter and possibly even hiding information from user that they don't need to know or see. IE folder names.

 

[ProtoSD]

I'll try and explain this as best I can.
What we were talking about was a set of hidden folders that would only show up for the user if the user has permission to access them. All other folders that the user does not have permission to access would be hidden there by eliminating clutter and possibly even hiding information from user that they don't need to know or see. IE folder names.

I don't think what you're asking for can be done easily, it's generally why users have separate folders. You can make a folder 'execute' only and that will prevent users for seeing the files or doing an 'ls', but it doesn't really accomplish what you're expecting and opens a whole other can of worms. If your users were using strictly Unix/Linux you could put a dot in front of the folder or file and that would make it hidden, but still not completely if you know how to look for it. There is a thing called ACL's (Access Control Lists) which @gcooper alluded to a few post above which would probably do what you're expecting, but they're difficult to implement with the GUI and still even more difficult to understand than regular Unix/Linux permissions. Windows has something similar with it's security permissions too. They've borrowed a lot of stuff from 'other' OS's.... Anyway, I'm going blind staring at this white background here in the forums and really hope one of the Admins will give us some optional themes with colors more soothing to the eyes.... ;-)

 

[digitaltrash]

Hey guys, apologies for not staying in touch past weeks. I've been very busy.

Visseroth,
Thank you very much for your input. I'll be definitely checking out the gui statistics on RAM (and other) usage. The stats is one of the many great features in FreeNAS.

A good server intel controller will do the trick for link aggregation. I'm using dual onboard NIC on my Supermicro X7DBN server. They use a e1000 chipset and link aggregation works great.

If you don't mind me asking, how did you set yours up? Which Lagg did you use? When you pump data, does it actually route traffic properly (that is, according how you configured your lagg)? Also, did you need some specific features on your router/switch box for it to work without breaking your network setup? I've never done this, so my mind wonders :o

I have to agree that it would be GREAT if folders could be hidden when users log in. I would LOVE this feature too and I think we should make it a suggestion on the forum to bring it to the developer's attention.

My solution is to map it as a network drive (In WIN environment) for each user individually, directing it to their home folder by default, i.e. \\freenas\storage\username and then creating a shortcut in their folder for the "common" share. This is good enough for me, and the user does not see folders of other users right away, without some sneaking around. I found that using:

Code:

net use x: \\freenas\storage\username /persistent:yes  /user:username password

works really well in cmd (much better than the mapping wizard, which considerably slows things down for some reason).

protosd

There is *some* way to clear the cache on windows and switch users, but it's a hack. It's been posted here in the forums, but I'm not sure where.

My share name is \\backup. Doing either a \\freenas or \\ip_addess directly, brings up a login screen again. I can login as anyone, even if someone is already logged on under their name. This is kinda necessary when I need to do some "god" functions. Any links to the hack way of doing this? Good hacks never hurt!

Finally, I've noticed that if a user goes to \\freenas\storage, where all of the user folders are located, they (anyone, really) can change the name of any folder (i.e. any other users' home folder). That's a bit dangerous! Can you guys confirm this on your boxes?

 

[ProtoSD]

Digitaltrash,

I have a link about purging login credentials, not the one I was trying to remember, but here it is:

How-to-forget-network-share-credentials

Also, not to be a jerk, but it would be great if you could post this in another thread so we can keep this discussion on topic about permissions. I'm actually pretty sure there's a couple threads about this topic already. It makes it difficult for people to find stuff when threads get sidetracked (hijacked) with simple questions like this.

If you don't mind me asking, how did you set yours up? Which Lagg did you use? When you pump data, does it actually route traffic properly (that is, according how you configured your lagg)? Also, did you need some specific features on your router/switch box for it to work without breaking your network setup? I've never done this, so my mind wonders

 

[Visseroth]

digitaltrash, protosd is right, this is getting quite off the main subject. Start another thread and let me know and I'll help you where I can their.

 

[digitaltrash]

digitaltrash, protosd is right, this is getting quite off the main subject. Start another thread and let me know and I'll help you where I can their.

Sure thing, not a problem. I did get carried away.

But the folder name change is on the topic. Seems to me like that should not be happening. Ideas?

 

[Visseroth]

Well if everyone has group access to all the folders in that directory then they would be able to change the name. It's about setting the permissions on the directories correctly. Change the permissions on user folders to 700 and make them sticky.
See this http://www.youtube.com/watch?v=4U7PxdAwvM8 (I'd tell ya how to make them sticky but I'm still learning myself)

 

[ProtoSD]

Sorry I don't have time to respond properly. I'd advise against setting the sticky bit, it can be very dangerous security wise, and in 30+ years working with Unix, I can tell you the needs for it are rare. You should be able to do what you need with user/group permissions and ownership/group set properly on the directory. It's just a matter of taking the time to create the right groups for everyone, add them into those groups or multiple groups if necessary, chmod 770 the directory, and then chown/chgrp the directory with the right owner/group. I understand it can be overwhelming if you're new to it. I do all the permission setting from the command line, but if you do, the GUI/database is not going to scan all your files/folders to pickup those changes. I'd learn how to do it from the command line, that way you'll know things are working the way you expect them to and not get bitten by some idiosyncrasy of the GUI.

 

[Visseroth]

Why is it that the sticky bit is a security issue. My thought was if he set the user's folder to 700 w/sticky bit or even 300 and all folders and files following that folder to 700 then the user would have access to the folder and all its contents but wouldn't be able to change the name of their primary folder and no other users besides root and the owner would have access to their personal folder

 

[ProtoSD]

Why is it that the sticky bit is a security issue. My thought was if he set the user's folder to 700 w/sticky bit or even 300 and all folders and files following that folder to 700 then the user would have access to the folder and all its contents but wouldn't be able to change the name of their primary folder and no other users besides root and the owner would have access to their personal folder

Visseroth, that's an interesting idea. One thing with Unix is there are always lots of different ways to do the same thing. I think the sticky bit when set on a folder like you were suggesting would probably be ok. I've worked a lot with Unix and in all that time have never had a need to use the sticky bit on a folder and have never seen user accounts setup that way. Some strange things might happen from windows, but like I said, I've never needed or seen it done. There are other situations, like for /tmp or /var/tmp where the sticky bit on a folder is a security advantage. For most of us, this it will probably never be an issue, but temporary files stored in /tmp can be replaced with nefarious substitutions that can compromise a system. The sticky bit when used without caution on regular files like scripts for example can allow a person to substitute another script and gain access/privileges. If you notice on the nightly security emails from FreeNAS, it does a scan for files with the sticky bit so you can keep an eye out for problems.

You also need to be careful, if you set the wrong permissions and make your login directory unreadable you won't be able to login.

 

[yoan]

No browse button in CIFS

Hi

I m trying to follow this tutorial
http://forums.freenas.org/showthrea...ommon-folder-amp-have-private-personal-folder
but i don't have the browse button in CIFS share

is it normal? I have one ufs volume
thanks for your help