Creating dataset/share via API having problems securing it.

[bmf614z]

Hi,

I am creating datasets and shares via the FreeNAS API.

I notice that when I create a share for a user (their own home directory) other users can view the contents of that share. (their home directory)

Does anyone know the process of creating a share that only the user that owns the directory can view the contents and the share itself?

For example this is working now:

mount -t cifs -o username=andy,password=daveycrockett,vers=3.0 //x.x.x.x/steve /stuff

but the user andy should only have access to the share /andy and steve should only have access to the share steve.

This seems to be the default and seems a bit too permissive.

 

[anodos]

We're adding a proper Permissions / ACL API in 11.3. You can look at API details by downloading the latest nightly and navigating to <ip of server>/api/docs. Relevant WS API calls are `filesystem.setperm` and `filesystem.setacl`.

 

[bmf614z]

Right but how can I either change the default permissions that get applied when the directory is created so that all new ones get created properly OR how can I set it properly in 11.2 programmatically?

 

[anodos]

Right but how can I either change the default permissions that get applied when the directory is created so that all new ones get created properly OR how can I set it properly in 11.2 programmatically?

In 11.2, there are limited options. If you are exclusively providing SMB access to the home directory (no SSH), then you can check the box "home share", in the share config. This will basically chroot the SMB session to `<path to share>/username`. Then you don't have to worry so much about permission. Otherwise, you will need to edit the permissions with `setfacl`.

 

[bmf614z]

Our use case includes SMB and FTP but no SSH.

 

[bmf614z]

is 'setfacl' something we have to do every time a user/share is created or is that something that is run once to set the defaults? Can that be done via SSH? I had one other question is there any way to enable SSH but only for SFTP/SCP and not shell? I don't believe there is because of how SFTP works but I didn't know if someone had come up with a creative way to accomplish this.

 

[anodos]

New files / directories inherit any inheritable ACL entries from the parent directory. In this case, you only need to set permissions on the parent and everything is good. New datasets do not. In this case, you will have to set permissions every time you create one ***

*** with the exception of [homes] shares with ixnas:zfs_auto_homedir=true. In this case, I have samba automatically inherit the parent dataset's ACL when the user home dataset is created.