| Both sides previous revision Previous revision Next revision | Previous revisionLast revisionBoth sides next revision |
| nas_permmissions_in_omv [2021/02/24 00:12] – crashtest | nas_permmissions_in_omv [2021/04/27 21:37] – [NAS Permissions In OMV] crashtest |
|---|
| {{ :underconstruction.jpg?400 |}} | |
| |
| |
| <html><center><strong>Getting Started with:</strong></center></html> | <html><center><strong>Getting Started with:</strong></center></html> |
| |
| |
| |
| ====== NAS Permissions In OMV - A Primer ====== | ====== NAS Permissions In OMV ====== |
| \\ | \\ |
| \\ | \\ |
| If preferred, this document is available in PDF form at this location → [[https://github.com/OpenMediaVault-Plugin-Developers/docs/blob/master/Getting_Started-Permissions.pdf|Getting Started - Permissions]] | This document can be converted to a PDF file, in the user's language of choice (see the following), on Windows, Mac's and popular Linux desktop platforms. Simply select the printer icon on the upper right corner of this web page. When prompted at the client, select “print to PDF”, name and save the file.\\ |
| | \\ |
| | [[https://translate.google.com/|Google Translate]] kann Wiki-Dokumente in Ihre Sprache übersetzen. Fügen Sie die Wiki-URL in das linke Fenster ein und öffnen Sie den übersetzten Link rechts.\\ |
| | [[https://translate.google.com/|Google Translate]] puede traducir documentos wiki a su idioma. Pegue la URL de la wiki en la ventana izquierda y abra el enlace traducido a la derecha.\\ |
| | [[https://translate.google.com/|Google Translate]] peut traduire des documents wiki dans votre langue. Collez l'url du wiki dans la fenêtre de gauche et ouvrez le lien traduit sur la droite.\\ |
| | [[https://translate.google.com/|Google]]翻訳はwikiドキュメントをあなたの言語に翻訳することができます。 左側のウィンドウにwikiのURLを貼り付け、右側の翻訳されたリンクを開きます。\\ |
| \\ | \\ |
| ---- | ---- |
| ===== Shared Folder Permissions ===== | ===== Shared Folder Permissions ===== |
| \\ | \\ |
| By default, the majority of files and folders on the OMV file server are owned and accessed solely by the root user account. Since that is not useful in a networked environment, user access to a NAS server storage location is changed by the creation of a “**Shared Folder**”. Creating a shared folder is covered in the New User's Guide under [[https://openmediavault.readthedocs.io/en/5.x/new_user_guide/newuserguide.html#setting-up-a-sf|Setting up a Shared Folder]]. This process physically creates the folder and assigns usable permissions to the folder, that allow regular user access.\\ | By default, the majority of files and folders on the OMV file server are owned and accessed solely by the **root** user account. Since that is not useful in a networked environment, user access to a NAS server storage location is changed by the creation of a “**Shared Folder**”. Creating a shared folder is covered in the New User's Guide under [[https://openmediavault.readthedocs.io/en/5.x/new_user_guide/newuserguide.html#setting-up-a-sf|Setting up a Shared Folder]]. This process physically creates the folder and assigns usable permissions to the folder, that allow regular user access.\\ |
| \\ | \\ |
| The default permissions assigned to a new Shared Folder, in OMV's GUI, are:\\ | The default permissions assigned to a new Shared Folder, in OMV's GUI, are:\\ |
| Under **Services**, **SMB/CIF**, in the **Shares** tab, click on the **+Add** button. | Under **Services**, **SMB/CIF**, in the **Shares** tab, click on the **+Add** button. |
| |
| * Shared Folder: | * **Shared Folder:** |
| In this case, we're layering a Samba network share on top of the “Test” Shared Folder, previously created. | In this case, we're layering a Samba network share on top of the “Test” Shared Folder, previously created. |
| * Public: | * **Public:** |
| In this case, the entry selected is No.\\ | In this case, the entry selected is No.\\ |
| \\ | \\ |
| * If the SMB **Public** field is set to “**Guests Allowed**”, that would combine with the “**Test**” Shared Folder permission **Others – Read**, to allow network guests **Read** access. (These permissions; **Others – Read** in the Shared Folder and **Guests Allowed** in Samba are appropriate for a media share. Network guests would have read access to media, music, movies, etc.) | * If the SMB **Public** field is set to “**Guests Allowed**”, that would combine with the “**Test**” Shared Folder permission **Others – Read**, to allow network guests **Read** access. (These permissions; **Others – Read** in the Shared Folder and **Guests Allowed** in Samba are appropriate for a media share. Network guests would have read access to media, music, movies, etc.) |
| * Beyond **Public access** choices, Samba assumes that appropriate user permissions have been assigned to the bottom layer, at the Shared Folder level. | * Beyond **Public access** choices, Samba assumes that appropriate user permissions have been assigned to the bottom layer, at the Shared Folder level. |
| * As shown below, if **Read only** is **ON** (green), **users** with **write** access to the Shared Folder, will not be able to add (write), modify or delete files. (There are exceptions. More on that later.)\\ | * If **Read only** is **ON** (green), **users** with **write** access to the Shared Folder, will not be able to add (write), modify or delete files. (There are exceptions. More on that later.)\\ |
| \\ | \\ |
| ---- | ---- |
| Understanding permissions effects, specifically the combination of various settings, is important. Again, Samba can further restrict but it can't override and “increase” access. Some examples are: | Understanding permissions effects, specifically the combination of various settings, is important. Again, Samba can further restrict but it can't override and “increase” access. Some examples are: |
| |
| * If a “host is allowed” but the username doesn't have access, the result is denied. | * If a “host is allowed” but the username doesn't have access, the result is **denied**. |
| * If a host is denied but the username has access, the result is still denied. | * If a host is denied but the username has access, the result is still **denied**. |
| * Consumer router behavior is not always consistent. If a host is specified by IP address, but the client uses DHCP, the IP address may change. | * Consumer router behavior is not always consistent. If a host is specified by IP address, but the client uses DHCP, the IP address may change. |
| * Many consumer routers do not consistently map host names to IP address which may make “allow” or “deny” by host name inconsistent.\\ | * Many consumer routers do not consistently map host names to IP address which may make “allow” or “deny” by host name inconsistent.\\ |
| \\ | \\ |
| For these reasons and more, host entries should not be used without closely considering their effects.\\ | For these reasons and more, host entries should NOT be used without closely considering their effects.\\ |
| \\ | \\ |
| {{ :9-perms-samba-share2.jpg?600 |}} | {{ :9-perms-samba-share2.jpg?400 |}} |
| \\ | \\ |
| **Extra options:** This field presents home and small business administrators with some interesting options for share administration. For example, in the upper half of this Samba dialog box, there is the option for **Read only**. In a Samba share, the **Read only switch** will further restrict the group **users** to **read only** access, even if the Shared Folder below allows **write** access.\\ | **Extra options:** This field presents home and small business administrators with some interesting options for share administration. For example, in the upper half of this Samba dialog box, there is the option for **Read only**. In a Samba share, the **Read only switch** will further restrict the group **users** to **read only** access, even if the Shared Folder below allows **write** access.\\ |
| \\ | \\ |
| However a “**write list**” will allow an administrator to selectively bypass the Samba **Read only** switch. In this case if the statement **''write list=Fred''** is added to the **Extra Options** field, the user **Fred** will have **write** access while the rest of the group **users** will still be restricted to **Read only**, enforced by Samba's **Read only switch**.\\ | However a “**write list**” will allow an administrator to selectively bypass the Samba **Read only** switch. In this case if the statement **''write list=Fred''** is added to the **Extra Options** field, the user **Fred** will have **write** access while the rest of the Group **users** will still be restricted to **Read only**, enforced by Samba's **Read only switch**.\\ |
| \\ | \\ |
| The same could be done for the entire users group with **''write list=@users''** | The same could be done for the Group **users** with **''write list=@users''** |
| Adding this statement would allow the entire users group, over the network, **write** access while restricting **Others** with the **Read only switch**.\\ | Adding this statement would allow the entire Group **users**, **write** access while restricting **Others** with the **Read only switch**.\\ |
| \\ | \\ |
| ---- | ---- |
| Note the check marks under **No access** for **Johnny** and **Betty**. To be sure that all files and folders in the share are reset with the appropriate permissions, the **Recursive** switch should be **ON** (green), before Clicking on **Apply**.\\ | Note the check marks under **No access** for **Johnny** and **Betty**. To be sure that all files and folders in the share are reset with the appropriate permissions, the **Recursive** switch should be **ON** (green), before Clicking on **Apply**.\\ |
| \\ | \\ |
| **Johnny** and **Betty** will have no access to the **Test** share, while the remaining users in the Group users will have **Write**. Using ACL's in this way allows a home administrator to selectively set individual users to **Read-only** or **deny access**. However, note that ACL's can not grant **increased access** that does not exist in Standard permissions.\\ | **Johnny** and **Betty** will have no access to the **Test** share, while the remaining users in the Group **users** will have **Write**. Using ACL's in this way allows a home administrator to selectively set individual users to **Read-only** or **deny access**. However, note that ACL's can not grant **increased access** that does not exist in Standard permissions.\\ |
| \\ | \\ |
| ---- | ---- |
| ==== Practical Permissions Examples ==== | ==== Practical Permissions Examples ==== |
| \\ | \\ |
| (In the following examples, root as the owner is assumed.)\\ | (In the following examples root, as the owner, is assumed.)\\ |
| \\ | \\ |
| In the examples, the list of users are as follows:\\ | In the examples, the list of users are as follows:\\ |
| {{ :13-perms-example1.jpg?600 |}} | {{ :13-perms-example1.jpg?600 |}} |
| \\ | \\ |
| * In the Shared Folder, the group **users** have **write**. This is necessary so that **Fred**, who is the family server administrator, can **write** to the share. | * In the Shared Folder, the group **users** have **write**. This is necessary so that **Fred**, who is the family server administrator, can **write** to the share from his client. |
| * Samba Public access is set to **Guests allowed** which works with the Shared Folder permission **Others: Read** These permissions and Samba settings will allow visitors **read** access to media shares such as music or movies. | * Samba Public access is set to **Guests allowed** which works with the Shared Folder permission **Others: Read** These permissions and Samba settings will allow visitors **read** access to media shares such as music or movies. |
| * **Read Only is ON**. This will further restrict the Group users down from **Write** to **Read only** access. With young children accessing a share, **Read only** is a good idea to prevent the possibility of an accidental deletion of media files. | * **Read Only is ON**. This will further restrict the Group users down from **Write** to **Read only** access. With young children accessing a share, **Read only** is a good idea to prevent the possibility of an accidental deletion of media files. |
| * The Samba **''write list''** bypasses the Samba **Read Only** setting for one user, allowing **Fred** to **write** to the share for admin purposes.\\ | * The Samba **''write list''** bypasses the Samba **Read Only** setting for one user, allowing **Fred** to **write** to the share for admin purposes.\\ |
| \\ | \\ |
| === A Group Share === | === A Group Share === |
| === A Restricted Share === | === A Restricted Share === |
| \\ | \\ |
| This share is for private information, for select members of the Group users. ACL's can be used to remove access for users that should not see the contents of the applicable share. In this example, Parents have access while household children are set to **No Access**.\\ | This share is for private information, for select members of the Group **users**. ACL's can be used to remove access for users that should not see the contents of the applicable share. In this example, Parents have access while household children are set to **No Access**.\\ |
| \\ | \\ |
| A significant point to be made about this example is that one or more users can be set to **Read only** or **No Access** without disturbing the access of the remaining members of the Group **users**. This might be convenient and expedient for employers who might want to restrict a specific employee to **No access** or **Read-only** access, quickly, when “notice” has been given or received.\\ | A significant point to be made about this example is that one or more users can be set to **Read only** or **No Access** without disturbing the access of the remaining members of the Group **users**. This might be convenient and expedient for employers who might want to restrict a specific employee to **No access** or **Read-only** access, quickly, when “notice” has been given or received.\\ |
| {{ :14-perms-example3.2.jpg?600 |}} | {{ :14-perms-example3.2.jpg?600 |}} |
| \\ | \\ |
| After selecting group usernames for No access (or **Read-only**) it's important to turn **Recursive ON** (green), before clicking the **Apply** button. This insures that new permissions are written to all files and folders within the share.\\ | After selecting group usernames for **No access** (or **Read-only**) it's important to turn **Recursive ON** (green), before clicking the **Apply** button. This insures that new permissions are written to all files and folders within the share.\\ |
| \\ | \\ |
| **Note:**\\ | **Note:**\\ |
| {{ :15-perms-example4.2.jpg?600 |}} | {{ :15-perms-example4.2.jpg?600 |}} |
| \\ | \\ |
| | ---- |
| ===== The Bottom Line ===== | ===== The Bottom Line ===== |
| \\ | \\ |