I am working on how to secure the Public folder to just the Admin user and I think I’ve come up with a non UI tweak.
If you try and do the same then you do so on your own head and risk!
The first thing I did was create a Public folder outside ot the share directory and copied the ACL of the real Public directory to the template Public directory. The Myron directory only allows read/write access to that directory so I copied the ACL from that directory over the ACL on Public. (I have a back-up of Public’s ACL so can always put it back.)
NAS-MC:/# mkdir /DataVolume/My_Settings
NAS-MC:/# mkdir `/DataVolume/My_Settings/Directory ACL template'
NAS-MC:/# cd `/DataVolume/My_Settings/Directory ACL template'
NAS-MC:/DataVolume/My_Settings/Directory ACL template# mkdir Public
NAS-MC:/DataVolume/My_Settings/Directory ACL template# mkdir Myron
NAS-MC:/DataVolume/My_Settings/Directory ACL template# getfacl Public
# file: Public
# owner: root
# group: root
user::rwx
group::rwx
other::rw-
NAS-MC:/DataVolume/My_Settings/Directory ACL template# getfacl Myron
# file: Myron
# owner: root
# group: root
user::rwx
group::rwx
other::rw-
NAS-MC:/DataVolume/My_Settings/Directory ACL template# getfacl /shares/Public/ | setfacl -R --set-file=- Public/
getfacl: Removing leading '/' from absolute path names
NAS-MC:/DataVolume/My_Settings/Directory ACL template# getfacl /shares/Myron/ | setfacl -R --set-file=- Myron/
getfacl: Removing leading '/' from absolute path names
NAS-MC:/DataVolume/My_Settings/Directory ACL template# getfacl Public
# file: Public
# owner: root
# group: root
user::rwx
user:www-data:rwx
group::rwx
mask::rwx
other::rwx
default:user::rwx
default:user:www-data:rwx
default:group::rwx
default:mask::rwx
default:other::rwx
NAS-MC:/DataVolume/My_Settings/Directory ACL template# getfacl Myron
# file: Myron
# owner: root
# group: root
user::rwx
user:www-data:rwx
user:myron:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:www-data:rwx
default:user:myron:rwx
default:group::---
default:mask::rwx
default:other::---
NAS-MC:/DataVolume/My_Settings/Directory ACL template# ls -l
total 12
drwxrwx---+ 2 root root 4096 Jun 29 01:20 Myron
drwxrwxrwx+ 2 root root 4096 Jun 29 01:20 Public
Than once I did that, I changed the ACL of the actual Public directory to be the same as one set on the Myron directory.
getfacl /DataVolume/My_Settings/Directory\ ACL\ template/Myron/ | setfacl -R --set-file=- /shares/Public/
To restore the original ACL:
getfacl /DataVolume/My_Settings/Directory\ ACL\ template/Public/ | setfacl -R --set-file=- /shares/Public/
One more thing to do is to set the Linux ownership of files and directories under the Public directory. for me the command was:
chown -R myron:share /DataVolume/shares/Public/*
To revert:
chown -R root:root /DataVolume/shares/Public/*
I honestly do not understand WD’s fixation of forcing people to have a wide-open Public directory and share.
It would take much to have an option to do what I’ve done here.
I have not yet tested this. I’ve noticed that WD’s scripts do a bit more than just set these ACLs so it may not be this simple. If anyone who is more of a linux Guru then me wishes to wade in please do.
This does not take into account the fact that WD also sets extended attributes on directories.
