Restrict access to shared folders

Hi

I have a WD MyBook Live 2TB running iMac OS Lion, and windows 7 desktops as well as mac and window laptops connecting to the network. 

I wanted others on the network to see/play files but not be able to delete or edit them, only me as an adminstrator whitout having to set up a new share folder.

i followed  Myrons instructions as per this topic, 

http://community.wdc.com/t5/My-Book-Live/Restrict-access-to-shared-folders/td-p/279684

Screen Shot 2012-04-12 at 22.55.08.pngAfter making the changes  and reboting the WD drive I found when logging on as a guest on the windows 7 PC I was blocked from deleting/editing files but if logged on as admin was able to make changes to files so everything seemed to be working fine.

But here is the PROBLEM when I logged on as a guest on iMac desktop and from Mac laptop I found when connected to MB Live as guest I was still able to delete and add files to Public share folders. :cry:

If anyone has any suggesions why this is not working on the Mac’s amd what I could do would really apreciate it.

Really hope someone can help.

Stomped

Have no idea, have you asked Myron?.  

I’ve sent him a message, thanks for the idea.

There is somethng I didn’t account for.  The configured the Samba service but the connection the Mac maybe making is by NFS or WebDAV, so the Public folder will be read write.

To make WebDAV treat the Public share as read only for the Public folder is a bit more complicated.

Going to have to think about this one. The puzzler is now to make configuration chnages what will not break anything else within the MBL.

HI Myron,
Thanks for your reply.
Interestingly if I mount the Public folder by selecting Finder,Go,Select to Server, it becomes read only.
But as soon as you go into ‘Finder’ and click on ‘MB Live’ under Shared it mounts as read and write, giving me two mounted Public folders.
I have to say I think it is a big over site of WD to not allow the Public folders setting to be adjusted. I like the ease of this drive but will seriously think about dumping it if can’t figure this out.

I’ve just been experimenting on my own MyBook Live. Not fully tested a possible solution I’ve tried so if you wish to try this then you accept the risks involved tampering with the MyBook Live’s configuration files.

I’ve tried to do this in the most minimal way that does not break anything else.

Login by SSH Telnet to the mybook live and edit the file /etc/trustees.conf.

Find the line that reads . . .

[/dev/sda4]/shares/Public:*:RWBEX:*:CU

 . . . change this to . . .

[/dev/sda4]/shares/Public:admin:RWBEX:*:CU

Sign on to the Web UI and create a user and then once created delete that user you just created. This step just runs the scripts that reads /etc/trustees.conf and processes it. I’ve not tried it just yet but I think only the admin user and a root user will be allowed access to the “Public” folder.  I think Twonly runs under “root” so should work.  With the trustees.conf file configured as above I have started Twony and its started-up fine.

With the trustees.conf file modified as shown above, the Public directory can’t be accessed using the FTP service by any other user. Comes up with Access denied, but the FTP admin login does have access to the Public folder with the FTP service.   Interesting . . . :smiley:

Hi Myron:

Twonky does run as root

root 2348 4.2 5.3 33920 13504 ? SNl Apr12 76:26 /usr/local/twonkymedia-5/twonkymediaserver -D -appdata /CacheVolume/twonkymedia -logfile /CacheVolume/twonkymedia/twonkymedia-log.txt

I noticed that. Thanks. :smiley:

I think this trustees thing is an addition to Linux’s own file and directory permissions facility. Not 100% sure how one interacts with the other as the trustees facility works at the kernel level and so far I’ve steered away from it until now.

I like that the simple change denies the FTP service access to the Public folder so I guess it’ll be the same for NFS and AppleTalk.

I suspect you are right.  Based on looking over the way I created my shares using the Web UI and what is in the /etc/trustees.conf file, it appears to accurately follow the rules I set on the shares.  Therefore above and beyond standard nix access settings.

I noticed this very early on but decided not to fiddle with it in case I ended up breakinbg anything.  I prefer to try find the most simplest and least intrusive fixes and tweaks. Also, to make sure all tweaks are easily reversible.

Myron,

This is an old post, but I just saw it and wanted to give it a try.  

When I edit my /etc/samba/overall_shares file, my path is  /DataVolumes/shares/Public

[Public]
path = /DataVolume/shares/Public
comment = Public Share
public = yes
browseable = yes
writable = yes
guest ok = yes
map read only = no

END

I copy the section for the public admin you stated to include the following:

[Public_admin]
  path = /shares/Public
  comment = Admin/owner RW access to Public share
  browseable = yes
  invalid users =
  valid users = admin
  read list =
  write list = admin
  map read only = no

The paths are different.

Simple question:  Do I still add the /DataVolume/ in the new path?

IT does not matter. The object /shares is a symbolic link to /DataVolume/shares. My advise is not to change the value of the parameter **path =**. To leave is exactly as you found it. So it does not break anything else I left my Public folder empty with it’s factory default created sub folders for music, video and photos and allowed read only access for everyone else.

## BEGIN ## sharename = Public #
[Public]
  path = /shares/Public
  comment = Public share
  public = yes
  browseable = yes
  writable = no
  guest ok = yes
  map read only = no
## END ##

That’s how it exists on my MyBook Live.  The comments surrounding that block are VERY importan!. If you change the comments in any way then I believe that the Web UI will break.

Hi Myron, Thanks for your help, and others. I haven’t been able to try your suggestion yet but as soon as able to will give it a try and let you know how I get on…

Hi,
well Ive put Myron’s suggestion into action and seems to be working in that on Mac can log in as admin under Shared, but guest is disallowed.
It would be nice though if there was a way that guests could log in under Mac Shared in Finder as read only.
At the moment the only way round it is to set guest Public share to mount at log in under system preferences for other users, and have them access folders that way, which as I said in an earlier post does become read only.

On the windows side there is no problem logging into guest Public share.
Will let you know if I find there are any other hick-ups with this.

Thanks a lot for all the help so far with this, its  really really appreciated.

Beers on me

:smiley:

I think it is possible, but I’ve not really looked into it in detail.  This “trustees” thing seems to be an addition to the standard Linux/Unix permissions model and is implemented at the Kernel level so works with everything. The change is to apply full read/write rights to user admin and not to everyone.  Once I figure out what the letters mean then I guess it is possible to add another entry to allow read-only access to everyone but admin only has read/write access.

I also noticed today that /etc/trustees.conf get rewritten and put the entry for Public back to it’s default so I’m going to hunt for the script that does this and make a minor tweak so it keeps my setting.

I think it got reset because I changed the media access options that Twonky uses as as long as I don’t change the parameters of the Public share within the Web UI then my version of /etc/trustees.conf stays as is.