Hi folks,
I'll preface this by saying that I've spent a few days looking at this on and off, and done a fair amount of searching. I've found partial answers to my questions, but none that fit together to solve my issue.
I'm attempting to set up an SMB share (only SMB) where you can connect as two different users (Adult, Child). When you connect with Adult you have access to everything on the share. When you connect with Child you have access to everything on the share EXCEPT one specific directory (can't even see it). It shouldn't matter who adds/removes/creates/modifies/etc, it should always have everything fully accessible by both users with the exception of that one directory. Obviously I want this to be as robust as possible, to prevent the kids from ever getting access to the protected directory.
The use case is that the NAS is used for home use, with one large share that is accessible to all people in the house (adults and kids), however us adults want to be able to store child-inappropriate content (eg, inappropriate movies, NSFW memes, etc) in a specific directory on the share as well. If we connect with the Adult user then we want to be able to see that directory as well as all other content, while if we connect with the Child user we don't want to see/edit/anything that specific directory (for obvious reasons) while still having access to everything else.
What I've tried:
1) I've created a shared group (smb-user), put Adult and Child in that group, then set up an ACL so that all files/directories inherit Adult:smb-user ownership, and group has the same permission as the owner. This works to make all files able to be used by either user without issue (great!) but then I can't remove the Child user via the windows security settings for that directory (it says something along the lines of "can't remove inherited permissions").
2) I've set things up as a regular SMB share with no ACLs, then chown -R'd the whole share as Adult:smb-user. I can access the whole share as both users, and I can remove the ability of the Child user to see the Adult directory, but then new files/directories that are created aren't owned by Adult:smb-user and I think sometimes I can't edit/delete/etc those files.
I've attached the ACL settings I was using. Happy to provide any other info required. Please excuse my ignorance throughout this in case I'm missing something obvious.
I'll preface this by saying that I've spent a few days looking at this on and off, and done a fair amount of searching. I've found partial answers to my questions, but none that fit together to solve my issue.
I'm attempting to set up an SMB share (only SMB) where you can connect as two different users (Adult, Child). When you connect with Adult you have access to everything on the share. When you connect with Child you have access to everything on the share EXCEPT one specific directory (can't even see it). It shouldn't matter who adds/removes/creates/modifies/etc, it should always have everything fully accessible by both users with the exception of that one directory. Obviously I want this to be as robust as possible, to prevent the kids from ever getting access to the protected directory.
The use case is that the NAS is used for home use, with one large share that is accessible to all people in the house (adults and kids), however us adults want to be able to store child-inappropriate content (eg, inappropriate movies, NSFW memes, etc) in a specific directory on the share as well. If we connect with the Adult user then we want to be able to see that directory as well as all other content, while if we connect with the Child user we don't want to see/edit/anything that specific directory (for obvious reasons) while still having access to everything else.
What I've tried:
1) I've created a shared group (smb-user), put Adult and Child in that group, then set up an ACL so that all files/directories inherit Adult:smb-user ownership, and group has the same permission as the owner. This works to make all files able to be used by either user without issue (great!) but then I can't remove the Child user via the windows security settings for that directory (it says something along the lines of "can't remove inherited permissions").
2) I've set things up as a regular SMB share with no ACLs, then chown -R'd the whole share as Adult:smb-user. I can access the whole share as both users, and I can remove the ability of the Child user to see the Adult directory, but then new files/directories that are created aren't owned by Adult:smb-user and I think sometimes I can't edit/delete/etc those files.
I've attached the ACL settings I was using. Happy to provide any other info required. Please excuse my ignorance throughout this in case I'm missing something obvious.
