To allow browsing sub folders to which one has permission to

[peter boos]

Hello, I want to setup permission so that i have a base:
/mnt/some/folder/base (owned by root and wheel)

Under it I like to add folders in such a way that only if one is a member of that foldergroup one can see that subfolder.
so

Code:

/mnt/some/folder/base/Project_One
/mnt/some/folder/base/Project_Two
/mnt/some/folder/base/Project_Three
/mnt/some/folder/base/Project_Four

There is a group "PRJ_One" assigned the first folder as below
setfacl -m g:"Domain\PRJ_One":full_set:df:allow /mnt/some/folder/base/Project_One
Each folder gets its own group assigned, PRJ_Two, PRJ_Three, etc ..

How to set folder permissions so that only if your a member of a certain project group you can see the folder
If a person is member of multiple groups say PRJ_One and PRJ_Four he would see only those two folders

I think it should be possible but i dont know how to set permission on /mnt/some/folder/base
To allow browsing only sub folders to which one has permission to

Note that i want to do this by console commands (it will become part of a script for adding projects).

 

[sretalla]

You need to remove (or deny) the list permissions from "everyone" for those folders.

Then only assign the list permission to the groups you wish to see them.

 

[peter boos]

how to do that using the command line ?. (i would like to script this)

 

[anodos]

You need to remove (or deny) the list permissions from "everyone" for those folders.

Then only assign the list permission to the groups you wish to see them.

NFSv4 / NTFS "everyone" is different from Unix "OTHER". It literally means "everyone" (including the file owner and group). This means, there should almost never be DENY entries for "everyone".

 

[sretalla]

It may be easiest to do that from Windows in powershell...

Get-Acl
Set-Acl are the modules you need to look up. I guess you can find plenty of hints on the net for that.

 

[peter boos]

thats the part i'm strugling with. ;)

 

[anodos]

I would probably create two new additional groups: one for admins, and one with all of your project groups. Then modify ACL for /mnt/some/folder/base so that it contains the following entries:

Code:

g:<base group>:full_set::allow #non-inheriting
owner@:full_set:fd:allow
group@:full_set:fd:allow
g:<admin group>:full_set:fd:allow #inheriting

and have dir be owned by root:wheel or root:<admingroup>.

Then once you create your subdirectories, use either a member of the admin group in a Windows client to add an additional ACL entry for the group that needs access, or use setfacl to add it.

 

[peter boos]

I tried it, so at the base ( /mnt/some/folder/base/ )

setfacl -m g:"base group":full_set::allow /mnt/some/folder/base #non-inheriting

Then the result is that all folders become visible, Only the ones a person has access to should become visible.

 

[anodos]

What is output of getfacl /mnt/some/folder/base/ and getfacl /mnt/some/folder/base/Project_One?

 

[peter boos]

At the base getfacl output :

Code:

# file: .
# owner: root
# group: wheel
group:Domain\All_users:rwxpDdaARWcCos:-------:allow
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow

And getfacl at a project folder :

Code:

# file: .
# owner: root
# group: Domain\prj_fc_project_one
group:Domain\prj_fc_project_one:rwxpDdaARWcCos:fd-----:allow
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow

 

[anodos]

You didn't fully apply the ACL I specified above on your base directory (owner@ and group@). Either set the ZFS dataset's aclmode to "restricted" or set a minimum of everyone@::fd:allow on the base directory, then recreate the project directory.

 

[peter boos]

Can you do a getfacl as well ?, iḿ not getting your picture clear
For the base there is no windows domain admin or so, only root and wheel users can alter permissions

 

[anodos]

initial ACL

Code:

root@homenas[/mnt/dozer/ISO]# getfacl ACLEXAMPLE     
# file: ACLEXAMPLE
# owner: root
# group: wheel
   group:SMBADMINS:rwxpDdaARWcCos:fd----I:allow
            owner@:rwxpDdaARWcCos:fd----I:allow
            group@:rwxpDdaARWcCos:fd----I:allow
         everyone@:--------------:fd----I:allow

add non-inheriting ACL granting my user permission to ACLEXAMPLE directory

Code:

root@homenas[/mnt/dozer/ISO]# setfacl -a 0 u:isouser:full_set::allow ACLEXAMPLE

create directory and verify that ACL was inherited correctly. Note no "isouser" entry.

Code:

root@homenas[/mnt/dozer/ISO]# mkdir ACLEXAMPLE/TESTDIR
root@homenas[/mnt/dozer/ISO]# getfacl ACLEXAMPLE/TESTDIR 
# file: ACLEXAMPLE/TESTDIR
# owner: root
# group: wheel
   group:SMBADMINS:rwxpDdaARWcCos:fd----I:allow
            owner@:rwxpDdaARWcCos:fd----I:allow
            group@:rwxpDdaARWcCos:fd----I:allow
         everyone@:--------------:fd----I:allow

Connect as iso user and check contents of directory. Note subdir absence.

Code:

root@homenas[/mnt/dozer/ISO]# smbclient //127.0.0.1/iso_share -U isouser
Enter WORKGROUP\isouser's password: 
Try "help" to get a list of possible commands.
smb: \> cd ACLEXAMPLE\
smb: \ACLEXAMPLE\> ls
  .                                   D        0  Thu Apr 22 05:01:07 2021
  ..                                  D        0  Thu Apr 22 05:00:11 2021

        4153462152 blocks of size 1024. 4135227470 blocks available
smb: \ACLEXAMPLE\> exit

Connect as admin user. File is visible.

Code:

root@homenas[/mnt/dozer/ISO]# smbclient //127.0.0.1/iso_share -U smbuser
Enter WORKGROUP\smbuser's password: 
Try "help" to get a list of possible commands.
smb: \> cd ACLEXAMPLE\
smb: \ACLEXAMPLE\> ls
  .                                   D        0  Thu Apr 22 05:01:07 2021
  ..                                  D        0  Thu Apr 22 05:00:11 2021
  TESTDIR                             D        0  Thu Apr 22 05:01:07 2021

        4153461752 blocks of size 1024. 4135227071 blocks available

 

[peter boos]

did you map to the folder and were unable to see it, because i still see it ?

 

[anodos]

did you map to the folder and were unable to see it, because i still see it ?

Yes. I used an SMB client to list directory contents. You may wish to run the command id <username> on TrueNAS to verify that your test user is in all the groups you expect and not in any you don't expect.

 

[peter boos]

i begin to wonder if there is some setting in the smb service setting to disallow folder enumeration if one has no rights

 

[peter boos]

@anodos have you actually made a windows drive mapping to the root folder ?.
We're using windows 10 here, and it sees all subfolders, currently i have it now that their content is hidden (no access).
Though i'm looking for some solution to not even show the folder itself if one doesnt have rights on the folder.

 

[anodos]

@anodos have you actually made a windows drive mapping to the root folder ?.
We're using windows 10 here, and it sees all subfolders, currently i have it now that their content is hidden (no access).
Though i'm looking for some solution to not even show the folder itself if one doesnt have rights on the folder.

In windows, you can map drives to arbitrary paths within an SMB share. Big picture, an SMB share is connected to over the network via path of format "\\<server>\<share>".

<server> - is your server's name (limited to 256 unicode characters) or IP address
<share> - is a unique name of not more than 80 characters that does not violate any of the rules in the document MS-FSCC section 2.6.

<share> is defined in your SMB share configuration by the parameter "name". In the smb4.conf file / "testparm -s" output, it is represented as a heading enclosed in square brackets "[ ]".

Your SMB share configuration has a "path" parameter. This is the local filesystem path that is exported as the SMB share <share>.

In my example, share [ISO_SHARE] is exporting the local path "/mnt/dozer/ISO" over the SMB protocol. My ACL example is a subdirectory within the ISO share "ACLEXAMPLE". The example output is for directory listing in /mnt/dozer/ISO.

 

[peter boos]

Did you use treunas or freenas ?.
We use freenas-11.3-U1 (we will upgrade to core later this year).
I think eventually its the SMB service presenting it to the client and should check if the remote user is inside a group and has to LIST the folder content based upon memberships, though our freenas doenst do it.

I have to set a minimal group read acces (r-x- c) otherwise windows wont see anything in the xx/xxx/root.
subfolders acka xx/xx/root/subfolder do not mention the minimal read group, only their 2 specific groups
they have permission for the specific readonlygroup and fullcontrol group (samba AD).
Only linux wheel and root can alter permissions on subfolders.

 

[peter boos]

SOLVED
Well its working, i had the permissions fine something else had to be done.
In the web config of FreeNas on the advanced share setting for this share, auxiliary parameters.
An extra parameter had to be added:
hide unreadable = yes