Setting User to have selected group access and to only specific folders

[Nayeem]

Question: if I have a user named "Sue" that is attached to a group labeled "Sue" and to an auxiliary group "Business" The user Sue has a folder with this user path: /mnt/media121/data/users/Sue and the Business is just a group and not attached to any data folder. However on the network there is a folder at this path: /mnt/media121/data/Business for which I would like user Sue to have access to but NO ONE ELSE.

How can the user Sue see both directories?
Does she need to add two CIFS drives, one for each?
Can she see both "folders" in “her" CIFS drive?
Does the business aux group need to be a CIFS group?

I guess the overall question is how can I grant users I specify to access ONLY specific folder paths? Example:
USER: Sue
1. /mnt/media121/data/users/Sue
2. /mnt/media121/data/business
3./mnt/media121/data/media

User: Tom
1. /mnt/media121/data/users/Tom
2. /mnt/media121/data/business/company-data
3./mnt/media121/data/media

 

[alexg]

Did you look at ACLs

 

[Nayeem]

Alexg, thanks for the info. ok..so I've researched ACLs and here’s what I can gather at the moment:
To accomplish my earlier task of allowing certain users access to their own PRIVATE drives, a shared drive and maybe another auxiliary group.

1. Create a dataset (folders) for each user under the current dataset (Sue, Jay, Osman, Shared, Business)
2. Add Users (Sue, Jay, Osman)
3. Add Groups (Business, Shared, Sue, Jay, Osman)
4. Set permissions to 770 for each dataset folder via ssh
5. Change permissions. Owner: nobody and Group: group-name for each dataset (ex. Business)
6. Create a Windows CIFS Shares pointing to her dataset?

Here are the settings I selected under her user:
-Set up user Sue under the primary group of ‘no group’ and pointed the home directory to her new dataset folder path called Sue. I then checked the RWX for ‘Owner' and ‘Group' and did NOT check anything for ‘Other’.

Finally, I added her to the Shared, Business & Sue auxiliary groups.

My Goal:
1. Sue should be able to freely RWX on the ‘Shared' dataset like anyone else I add to that folder group.
2. Sue should be the ONLY one to be able to RWX her own personal dataset (folder) labeled ‘Sue'.
3. She should be able to RWX all files under the ‘Business’ dataset.

Questions:
1. Will my setting above accomplish my goal? If not, then what changes should I make?
2. Will another user on the network be able to log into any of ‘Sue’s folders without her username and password?
3. Can I create a ‘super user’ that can roam ALL the files without regard to groups or owners? Would I need to log in as ‘root’ to accomplish this?
4. When Sue mounts here CIFS drive, will she see ALL the datasets (folders) that’s she’s allowed to see be visible? She should see Shared, Sue and Business Folders.

I totally new at FreeNAS but I learn very quickly. I have a good understanding of permissions, however I’m really confused at the role datasets, and folders within take on and how to allow certain people access to only certain folders regardless if that folder is within another dataset. hope this makes sense...

 

[alexg]

Dealing with permissions and getting them done correctly is complex and time consuming task. There is a good reason why cyberjock would not touch any permission threads. The best recommendation I can give you is to set up few test samples of datasets/shares/directories and see what it does. Try to create sub-folders and files and see how it inherits permissions. That is the best way to learn this thing.

 

[qwerion]

4. Set permissions to 770 for each dataset folder via ssh

Do NOT do this with chmod - apparently with samba4 now, it requires the extended ACLs to be set correctly in order for anything to work as expected from Windows. chmod will wipe out the extended attributes. Use setfacl

I don't believe any of the documentation is clear on this - it took a few weeks on and off until I found this long thread in the bug reporting site.
https://bugs.freenas.org/issues/4151

 

[cyberjock]

You can absolutely do chmod and have it work on Samba4. That's how I do my test box and it's worked flawlessly for me. ;)

 

[qwerion]

This is what happens with me. And then I won't have write access due to the extended ACLs for group being wiped.

Shrug.

Code:

[/mnt/primary/storage/share]$ ls -l
total 1
-rwxrwxrwx+ 1 nobody  mainusers  4 Apr 26 20:52 test.txt
 
[/mnt/primary/storage/share]$ getfacl test.txt
# file: test.txt
# owner: nobody
# group: mainusers
            owner@:rwxpDdaARWcCo-:------:allow
            group@:rwxpDdaARWc---:------:allow
         everyone@:rwxpDdaARWc---:------:allow
 
[/mnt/primary/storage/share]$ sudo chmod 777 test.txt
Password:
 
[/mnt/primary/storage/share]$ ls -l
total 7
-rwxrwxrwx  1 nobody  mainusers  4 Apr 26 20:52 test.txt
 
[/mnt/primary/storage/share]$ getfacl test.txt
# file: test.txt
# owner: nobody
# group: mainusers
            owner@:rwxp--aARWcCos:------:allow
            group@:rwxp--a-R-c--s:------:allow
         everyone@:rwxp--a-R-c--s:------:allow