Be careful public folder & photos

Guys be very careful to save anything in public folder as everyone can see this on the net. 

I am saying this if you use WD Photos app on the iphone IT SAVES AUTOMATICALLY in the bloody public folder all your personal photos. WHATS A SMART IDEA!!!

Also the whole point if buying the personal cloud so its yours and no one else, and you CANNOT remove the stupid useless public folder they put in there. I would love to meet the guy that desinged this. SO so silly. Need urgent firmware upgrade to get rid of this stupid folder.

No one on the net can access the public shares. It’s accessible only within your local network. Unless somehow you publicly open up the samba ports 139/445 on your router or your router is in DMZ mode. If that’s the case, you can choose to re-secure your router settings or if you’re comfortable with shell access, make changes to the [Public] section entries in /etc/samba/overall_share. ie. public = no, guest ok = no, valid users = @share.

Zaydm,

The Public Share is only accessible within your personal local network, and access can be limited or prevented when using a router that features Guest connections.

I am working on how to secure the Public folder to just the Admin user and I think I’ve come up with a non UI tweak.

If you try and do the same then you do so on your own head and risk!

The first thing I did was create a Public folder outside ot the share directory and copied the ACL of the real Public directory to the template Public directory.  The Myron directory only allows read/write access to that directory so I copied the ACL from that directory over the ACL on Public.  (I have a back-up of Public’s ACL so can always put it back.)

NAS-MC:/# mkdir /DataVolume/My_Settings
NAS-MC:/# mkdir `/DataVolume/My_Settings/Directory ACL template'
NAS-MC:/# cd `/DataVolume/My_Settings/Directory ACL template'
NAS-MC:/DataVolume/My_Settings/Directory ACL template# mkdir Public
NAS-MC:/DataVolume/My_Settings/Directory ACL template# mkdir Myron
NAS-MC:/DataVolume/My_Settings/Directory ACL template# getfacl Public
# file: Public
# owner: root
# group: root
user::rwx
group::rwx
other::rw-

NAS-MC:/DataVolume/My_Settings/Directory ACL template# getfacl Myron
# file: Myron
# owner: root
# group: root
user::rwx
group::rwx
other::rw-

NAS-MC:/DataVolume/My_Settings/Directory ACL template# getfacl /shares/Public/ | setfacl -R --set-file=- Public/
getfacl: Removing leading '/' from absolute path names
NAS-MC:/DataVolume/My_Settings/Directory ACL template# getfacl /shares/Myron/ | setfacl -R --set-file=- Myron/
getfacl: Removing leading '/' from absolute path names
NAS-MC:/DataVolume/My_Settings/Directory ACL template# getfacl Public
# file: Public
# owner: root
# group: root
user::rwx
user:www-data:rwx
group::rwx
mask::rwx
other::rwx
default:user::rwx
default:user:www-data:rwx
default:group::rwx
default:mask::rwx
default:other::rwx

NAS-MC:/DataVolume/My_Settings/Directory ACL template# getfacl Myron
# file: Myron
# owner: root
# group: root
user::rwx
user:www-data:rwx
user:myron:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:www-data:rwx
default:user:myron:rwx
default:group::---
default:mask::rwx
default:other::---

NAS-MC:/DataVolume/My_Settings/Directory ACL template# ls -l
total 12
drwxrwx---+ 2 root root 4096 Jun 29 01:20 Myron
drwxrwxrwx+ 2 root root 4096 Jun 29 01:20 Public

Than once I did that, I changed the ACL of the actual Public directory to be the same as one set on the Myron directory.

getfacl /DataVolume/My_Settings/Directory\ ACL\ template/Myron/ | setfacl -R --set-file=- /shares/Public/

To restore the original ACL:

getfacl /DataVolume/My_Settings/Directory\ ACL\ template/Public/ | setfacl -R --set-file=- /shares/Public/

One more thing to do is to set the Linux ownership of files and directories under the Public directory. for me the command was:

chown -R myron:share /DataVolume/shares/Public/*

To revert:

chown -R root:root /DataVolume/shares/Public/*

I honestly do not understand WD’s fixation of forcing people to have a wide-open Public directory and share.

It would take much to have an option to do what I’ve done here.

I have not yet tested this. I’ve noticed that WD’s scripts do a bit more than just set these ACLs so it may not be this simple. If anyone who is more of a linux Guru then me wishes to wade in please do.

This does not take into account the fact that WD also sets extended attributes on directories.

Yes JStaff. In this case tell me how to do the following. Say I have a family. Two kids and me. Everyone uses the My Cloud NAS. Kids have their own area as I have. I do not want them to use the Public share/directory. This is all on the local network so the router can’t be used to control access to the NAS.

How do I stop them from having access to the Public directory/share?

JStaff wrote:

Zaydm,

The Public Share is only accessible within your personal local network, and access can be limited or prevented when using a router that features Guest connections.

Good question. 

I ain’t being hostile, Just presenting a possible senario.

In favour of WD, I like that for FTP they have used VSFTP. A small Ftp deamon, but it’s been written with security in mind from day zero. I’ve tested this and for over a year the FTP service being open to the Internet, no-oner has managed to compromise it. With WD2GO I use the Relay Connection method so the NAS is not directly explosed to the Internet.

Also, when the HeartBleedbug appeared WD were very quick off the mark to release an update to the openssl library. Older NASs don’t need the update as older versions of openssl don’t have the Heart Bleedbug.

The problem is market forces. I feel the development teams have stupid unrealistic deadlines thrust at them and they get the flack.

There is one thing that WD so which I think all the other NAS providers don’t do and that is to give direct access to the NAS’s back end and I love that feature. I get to put in the settings that I desire. One of which is to lock-down the Public share at the kernel level.

Well…  After the ACL tweak, created a new user. FTPed to the My Cloud and tried to cd to the Public folder and was denied access.  Result! 

Hi Myron

See my post 

http://community.wd.com/t5/WD-My-Cloud/Controlling-access-to-public-folder/m-p/698142/highlight/true#M9784

for a quick workaround

Question to ask here is if it’ll cause complications for any future updates from WD.

I had this working before the last update and fully expected it to revert to normal behaviour but nothing changed.

anyway who knows what problems future updates may cause?

we will just have to wait and see lol

I think you’ve misunderstood the question. Allow me to simplify.

1. In the house there are two adults.
2. The adults and children have their own laptops.
3. The father has a administrative user account.
4. The mother and two children have user accounts that allow access to only their network shares.
5. The father has access to all network shares.

Now, the prblem is that on the LAN every one has access to the Public share.

So the request is:

“I want to prevent the children to have access to the Public share but allow the father and mother access to the Public share.”

Now, I know that a network share can be created that is either private or public, but there is no choice with the default Public share.  So the next request is:

"How can I make the Public share read/only for everyone and if want a network share that everyone can access, I’ll create it myself.

Hope that clarifies the requirement.

I’ve managed to do this, but I’ve had to get to the Linux operating system and specifically set the ACL on /DataVolume/shares/Public to read-only. It’s how can the non-techical individual do the same without having to touch Linux.

Zaydm’s query has nothingb to do with external access to the MyCloud NAS from outside his local area network.

JStaff wrote:

Zaydm,

The Public Share is only accessible within your personal local network, and access can be limited or prevented when using a router that features Guest connections.

I did not realize this public folder was open to entire universe until some stupid guy started deleting my files and placed them in to recycle bin with a guest user.

Problem then raised with admin and official users above recylce bin is seen as empty but I do suspect a problem as despite my folders were gone system showed same amount of fullness of hardrive space.

Finally entering the system with a guest account I have found all my files hidden to recycle bin visible NOT to admin or users but guests only !!! 

so problem is if a guset deletes your files from public folders and you do not realize and forget about them, these files can allocate space in your hardisk forever hidden to you but open to guests of universe.

very wise and meaningfull technology that WD have invented, I must express my disappointment.

this PUBLIC folder is open to universe and I can not get rid of same. 

other owners have not mentioned but this device is dangerous at some points :

any guest account can upload any unwanted file to these public folders and they can use these devices as if their own personal cloud.

think that family of 4 , with two children , somebody from outside start uploading +18 files in your public folder ???

buying this device do I have to serve to the public as a cloud system ???

this device is not personal cloud but public cloud system. Think twice if you are willing to buy

personal opinion is don’t use the public share and I wish WD would allow removing it.

with that said the only people that have access to it is anyone that has access to your LAN, if you have open wifi change it. and anyone you set up remote access for. the general Internet community unless you take steps to allow this which I would not suggest

If this is the MyCloud single drive NAS then I’ve managed to do this.  My wrote a note to myself, as I write terse notes as reminders . . .

How to copy permissions from an existing directory to another directory and it's structure.
It would be a good idea to create a folder directory as a place holder for desired ACLs.

NAS-MC:/DataVolume/My_Settings# getfacl Public/
# file: Public/
# owner: root
# group: root
user::rwx
group::rwx
other::rw-

NAS-MC:/DataVolume/My_Settings# getfacl /DataVolume/shares/Public/ | setfacl -R --set-file=- /DataVolume/My_Settings/Public/
getfacl: Removing leading '/' from absolute path names
NAS-MC:/DataVolume/My_Settings# getfacl Public/
# file: Public/
# owner: root
# group: root
user::rwx
user:www-data:rwx
group::rwx
mask::rwx
other::rwx
default:user::rwx
default:user:www-data:rwx
default:group::rwx
default:mask::rwx
default:other::rwx

I created an empty directory elsewhere on the drive and copied the ACL for the Public share to that. That empty folder is the template in case I have to reset the Public folder. I can then use one command to copy the ACL from the template (empty directory) to everything in public. ( /DataVolume/My_Settings/Public/ is my template.)

The actual ACL I have set on my Public directory is  . . . .

NAS-MC:/DataVolume/My_Settings# getfacl /DataVolume/shares/Public/
getfacl: Removing leading '/' from absolute path names
# file: DataVolume/shares/Public/
# owner: root
# group: share
user::rwx
user:www-data:r-x
user:myron:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:www-data:r-x
default:user:myron:rwx
default:group::---
default:mask::rwx
default:other::---

The Access Control List above makes the Public folder and everything under it read-only for everyone except my main account.

I know this should be possible through the UI, but it’s not.  My sollution seems to work and does not break the UI or anything else.

Hope that helps.

So there is any way the users to not seeing the public folder??

We are a family of 4 persons and i don’t like my childrens to have access to public folder!

Where is the problem with that?How dificult can be to change user access on folder??

without non-supported changes in Linux which will be changed with any upgrade or restore you can’t block the public folder

My opinion is just don’t use it. create your own shares and users and set permission as needed

also remember if you are trying to restrict kids any media in a share that has media shareing enabled will be visable to any DLNA device on the LAN as DLNA does not support security

yes but when im uploading a photo on my user folder any other on the network (different user) can see my photos on public folder via his mobile app “wd cloud photos”

What can i do with that?

i don’t use the WD photos app to sync because of this

the wd mycloud app will let you backup photos and other things to a location you choose.

It would be nice if WD would allow control of the public folder and in this case even better if the photo app let you choose the destination