Can we make AFP/SM/CIFS protocols file permissions settings to follow Access Control within RockStor Web GUI?
For instance, a file copied (from my local hard drive) to a shared folder on RockStor will retain file permissions set by some rule (probably protocol file permissions settings for AFP or SMB). I think this maybe a setting to be controlled by the server (RockStor), rather than on clients (Mac or PC).
Then, when I once again set file permissions within Access Control in RockStor Web GUI, the file permissions are ”restored” to my Access Control settings for all file on the shared folder. So, I need to reset ACL every time I copy files from another location to RockStor.
So, it would be quit nice to make AFP/SMB/CIFS protocol file permissions setting to also follow changes on Access Control settings. E.g., when I change Access Control file permissions settings from the RockStor Web GUI, then AFP/SMB/CIFS file permissions setting also changes.
In a traditional NAS, Access Control setting will often not restore file permissions, but this is very well done in RockStor. However, there are still a lot problems with file permissions when moving and copying files from different locations to NAS shares. See link for an example with Synology:
I guess, without having looked at protocol settings yet, that protocol file permission settings are controlled by RockStor and not by Rock-ons. Am I wrong?
Read the forum below, I am sure you can reproduce same problem. The RockStor install also did not provide with info regarding security profile during installation (not really a problem here).
There are file sharing protocol settings on the server side and on client side (especially with SMB/CIFS).
Once you move a file with, for instance 711 permission, to the NAS storage, the file permissions are changed to 555 (or something else, try to check this yourself) - this could be a either a server side or clients side problem. As with Rock-ons, they seem to run under their own user, which is not the case with some brands of NAS (those apps that run under root normally will give all files 777 permissions, unless configured properly).
I have a file owned by user on my client (Mac/PC/Linux) with file permissions set to be accessible by none but the owner.
Once the user copies the file to NAS Share, ownership is changed, to the owner of the Share. Accordingly this change often leads to 777 for files (or what ever settings on NAS). This is ok for me as long as the file stays on the NAS, but once system is compromised, everyone can read or delete the file.
The problem seems to not end here. When later you mount the Share using AFP/CIFS/SMB, the file is mounted on you client computer, and I hope they are 755 and Not 777, then one would argue whether excitable are unable to run…
Then copy the file back from NAS to your client computer, are the file permissions are restored pristine???
Many home/soho NAS were proven to be insecure but more unrelated to this issue. Some of them even run all services under root which give a file both 777 and root:root residing in the NAS.
Lastly, Rock-ons run under a user name mapped to a Share. I use same shares for AFP/SMB/CIFS with 755 permissions. I think I am safe here. But try to move files with different permission back and fourth, do you see changes?
What I guess the problem I with protocols setting on server & client. However, there are occasions where files copied from an USB-thumb to a computer also get file permissions which are not default to the local computer (then I wonder what happened to the USB-thumb or to my computer, a Mac in this case).
I just want to ask if this indeed not a problem. But there are many questions unanswered. Can we not also make RockStor the most secure NAS?
I’m not sure but I think I may have finally figured out what you are asking. You want to preserve the file permissions and control including ACL extended attributes from PC (Windows/NTFS) Mac (HFS+) and Linux when transferring files to Rockstor?
You are going to have one hell of a time doing that. Windows is the only system that supports NTFS style ACL control. You would need a front end (basically turn rockstor into a SAN) Windows server in order to use windows style ACL’s for control. OSX uses the same POSIX and NFSv4 style permissions BTRFS (IIRC) uses but I don’t believe they are %100 compatible.
If your only goal here is to only allow certain people access to certain files then multiple shares using SMB is your friend in mixed environments. You may also need to dive into the mess that is smb.conf and set things like force user = and the inherit acls which does help to preserve windows permissions right (though you still can’t use them to prevent access.)
That was exactly what I was asking for - I really don’t like the inconsistency between “file sharing protocols” x “operating systems” ( x “file system” ). Why is there no consensus between the OS developers to make life easier?
Not a problem it just to me a minute to put together exactly what you were asking.
Ya nobody wants to really work together Mac and Linux are similar just because of their history but they still have “applisms” that mean things aren’t 100% and windows developed from a totally different direction then either.
The easiest thing in a mixed enviro is just to use samba to control access and make sure the files for each user are separate.