FileSystem Permissions

[chromos33]

Hi I wanted to ask if it's possible in ZFS to differentiate write permissions.
Like for one account allowing the creation of new files but not allow renaming/deleting/modifying existing files. For another to allow all those but only login when you actually want to change files otherwise using the first account.

For a possible way of preventing Ransomware encrypting files.

 

[Nick2253]

You can do what you said, but I don't think that it's what you actually want. First off, creating a new file is nothing more than creating a hard link in a particular folder to the data representing that file. If you gave me permission to do that, but not modify the file, I'd be able to create the hardlink, but not populate it with anything.

The simpler way to do this is have a "read" account and a "read/write" account. If you share with CIFS, this is easily done with ACLs. If you want to use the Unix permissions, you could do this with a read/write owner and a read only group (or you could give everyone read access).

It would ultimately be up to you to manage the accounts. For example, with CIFS I don't think it's possible to "elevate" on demand from one account to another. You'd need to close the connection, and then reopen it. You could probably do this with NFS and sudo, though.

 

[Robert Trevellyan]

preventing Ransomware encrypting files

You can mitigate this risk with FreeNAS using snapshots.

 

[Nick2253]

You can mitigate this risk with FreeNAS using snapshots.

Just curious: what happens if I'm using, say 70% of my pool, and my entire pool gets replaced (e.g. by randsomware)? The pool wouldn't have enough space to hold both the current data and the snapshot data. Would you get a "no free space" kind of message? Or would it start flushing snapshots?

 

[SweetAndLow]

The way randsomeware usually works is it makes a copy of the file and encrypts the copy then deletes the original. So it is possible to fill up your pool if you have snapshots. If this happens there will be a error when it tries to copy the next file and it will fail.