Possible to setup read only account for remote access?

[DGenerateKane]

I just installed FreeNAS on an old PC to familiarize myself with it before I build my NAS next week. I'd like to be able to make an account for remote access that is read only, but everything I've tried isn't working, the account still has full access. Is it not possible? Or am I just failing at it? Any help would be appreciated.

 

[pirateghost]

read only for what sharing protocol? please tell me you are not forwarding your web gui through your router and to the big bad internet...

 

[DGenerateKane]

I'm trying to setup a windows share that can be accessed with SSH. At least I think that's what I'm doing. Honestly this is much more complicated than I thought it would be. I've been using Windows for far too long, and anything else is alien to me. If there is a different way I should be doing it for security purposes, I'd welcome some instructions.

 

[pirateghost]

A windows share accessed via ssh? So you are going to use an ssh tunnel to route all cifs traffic to your freenas box remotely?

Where are you setting up the ssh access? How are you configuring your tunnel?

 

[DGenerateKane]

Have I mentioned I don't really know what I'm doing?

 

[pirateghost]

In all honesty, you just need a clear picture of what you want your end goal to be.

Getting there will require learning but you need to specify what you want.

What is your plan for this share? Is it just you accessing it when you aren't home? What kind of files are they? If its media, is it something Plex could handle for you? If its pictures, documents, etc, is it something owncloud might be a fit for?

Are you looking for complete access to your entire server remotely? If so, you need to look into VPN

 

[DGenerateKane]

I do want remote access for myself when I'm not home, but full access. I've already managed that. I also want to be able to setup accounts that are read only for others to be able to access it, but I don't want them changing anything. I haven't figured out how to make an account read only though. I've never looked into VPN, but my router is capable of it, I'm running DD-WRT.

 

[Robert Smith]

Why remote access has a bearing on anything?

Do you want some users to have full write permissions with local access, and read-only when these same users access the same shares remotely?

 

[DGenerateKane]

These users wouldn't need local access, just remote access. only the account I'd use myself would need full access locally and remotely.

 

[Robert Smith]

[It has been mentioned on these forums that] FreeNAS is not designed to be connected directly to the Big-Bad-Internet; as such, as pirateghost, mentioned, you are probably looking into some kind of VPN to provide you with remote access.

FreeNAS by itself makes no distinction between local and remote users. If you want to configure a user to have read-only access, you just do that; there are no separate instructions for remote users.

 

[anodos]

I'm trying to setup a windows share that can be accessed with SSH. At least I think that's what I'm doing. Honestly this is much more complicated than I thought it would be. I've been using Windows for far too long, and anything else is alien to me. If there is a different way I should be doing it for security purposes, I'd welcome some instructions.

Sharing a dataset with two different protocols is a recipe for disaster (in this case SSH/SFTP and CIFS). Choose one protocol and research how to properly configure it / set access controls. From the sound of it you should set up a VPN. Note that you should have decently fast internet access (upstream and downstream) for VPN to yield desirable results.

 

[Whattteva]

That may be the general rule, but he's only interested in read-only access. I don't think using multiple protocols is that much of a hazard for this use case. Things typically only tend to get hairy when you have multiple processes contending writes.

 

[anodos]

That may be the general rule, but he's only interested in read-only access.

You mean I need to actually read what the OP wrote? :)
Still, proper permissions can be difficult to set up and maintain for one protocol per dataset. Anticipating interactions between two protocols and how access controls between them interact can be a bit unpredictable.

 

[Knowltey]

Well you should follow a two step process here for this rather than tackling both problems at once.

Step 1: Get the user account working **locally** on a read-only basis.

Step 2: Allow that user remote access somehow.

Your best way for one if you're using CIFS is to just make a user and then set up permissions so that they only have read and are denied write access on everything.

It may or may not work for you but what I do for when I need remote access is just RDP into either my desktop or laptop at home.

 

[willnx]

I do want remote access for myself when I'm not home, but full access. I've already managed that. I also want to be able to setup accounts that are read only for others to be able to access it, but I don't want them changing anything. I haven't figured out how to make an account read only though. I've never looked into VPN, but my router is capable of it, I'm running DD-WRT.

I think part of the in giving a clear answer to your question is revolving around "it." By "it" are you talking about file access, or access to the FreeNAS Admin Web Interface?

If it's file access (via CIFS) you could: Mount the share from your windows box as root, right click the folder the user will be poking and select Properties, then click on the Security tab. From there, edit the permission for the "Everyone" user, and ensure that the users accessing the files aren't, A) explicitly noted with a different permission and B) are not part of a group that has more permissive ACLs.

If it's read only access to the Web GUI - beats me... I'd wager that it's not possible in FreeNAS; read only access to a admin interface is kinda backwards. I've only heard of systems limiting overall access to admin powers, like Solaris with it's roles and such.
You could, I guess, spin up some FreeNAS VMs for others to poke around the Web GUI - that's about the only acceptable use of a FreeNAS VM; training/learning.