Users and Groups - How does the security work?

I have created several users and and shares (public and private) and they all work fine.  I have also created groups. Let me give some examples.

Users: Rex, Bob, Gina, Todd.

Groups: Administrators, Programmers, Writers, Support, Staff.

Shares: General, Code, Documentation, HR.

In this scenario, I (Rex) am an Administrator and should have fiull access to every share. I set myself into the Administrators share and set Administrators to have full access to the HR share. If I (the user) am set to No Access, despite the fact that I am an Administrator with Full Access to HR, I am denied access.

In the same case, I set the Administrators group to have No Access to the HR share, but leave myself with Full Access. I cam still able to read and write in that share.

To summarize, it seems that a User rights trump Group rights. This seems wrong. Did I miss something?

Rex_Critchlow wrote:

 

To summarize, it seems that a User rights trump Group rights. This seems wrong. Did I miss something?

Correct.   User (specifc) rights always supercede Group (general) rights.

I don’t mean to be obtuse here, but that doesn’t make sense. Here’s my argument:

The point of a group is to assign a specific set of rights to multiple persons. If the User rights trump Group rights, in order to grant group privledges to an single User, they would have to have indifidual rights assigned to each share they need to access.

Example: Bob is new to HR. As an employee he also gets read access to the News share. If, as it works, a new User defaults to no access to any share, but the user is added to the HR Group, his User access of None will trump the Groups Full Access. In order to get him access to HR and News, I would have to change his User rights to match the rights I wanted him to have in the group. That being the case, why did I make a group in the first place?

So you have to go to the share and find the user in this case admin and go to the share folder tab and drill down to the users and change 

Screenshot 2015-02-28 07.46.31.png

To this

Screenshot 2015-02-28 07.46.50.png

Yes this seem weird however from a security standpoint it is not the worse default to have thought;  it needs to be spelled out. 

NRJ

If you’ve assigned a user to an ADMIN GROUP and that group has WRITE access to a share, then that user should have write access to the share regardless of what the individual user settings are.

That’s the bad thing about the group management function of the NAS – the DISPLAYED permissions don’t really indicate the “effective” permissions and it can get confusing.

In other words, in actual samba configurations, it’s possible to allow WRITE access via a GROUP but DENY access via specific user permissions.   In this case, according to Samba’s documentation:

https://www.samba.org/samba/docs/using_samba/ch09.html

… the user would be DENIED access.

But in the UI, everything on a user’s permissions list may indicate “DENY” but still be allowed access because of the GROUP setting elsewhere.

Still having this issue.

I agree, Tony. That is how it should work, but my system seems to be ignoring all permissions granted through Groups in favor of rights assigned to Users.

I’ve read and re-read the manual and they don’t have any ‘rules’ on how groups work.

To respond to Altavoz, your suggestion is great if you are working with only a handful of users and shares. In a more complex environment, Groups are a huge benefit. Since Users and Shares are created with a default of No Access, a “Least Restrictive” approach would be appropriate. In other words, If a user has No Access rights, but belongs to a group with Read Access, the user should have Read Access to the share. If the user has Read/Write access to a share and belongs to a group with only Read Access, the User should still have Read/Write access.

With regard to the complex nature of who has what rights on which Share, a summary screen would be very useful. Something like the following (but in a GUI setting and I’m sorry the tabs didn’t translate from Word, but you get the picture):

Share                  User                    Access                 Source

HR                        Bob                      Read/Write        User

                             Julie                     Read                    Group [HR]

                             Valerie                Read                    Group [HR]

News                   Bob                      Read                    Group [Employee]

                             Chad                   Read                    Group [Employee]

                             Julie                     Read                    Group [Employee]

                             Valarie                Read                    User

DEV                     Alice                    Read/Write        User

                             Chad                   Read/Write        Group [Developers]

This summary screen would also provide evidence to the administrator that Group and User rights are working properly. It could also be used to determine if a User or Group has or doesn’t have access to a Share that they shouldn’t/should.

Can you log in via SSH and look at the actual samba configuration for a specific share?

It’ll explicitly define the permissions – I’m curious what it shows compared to what’s expected.

I’d love to if you can tell me how. :slight_smile:

Enable SSH in the UI.

Connect to it via PuTTY (or your choice of SSH clients).

You can copy the Samba text config to a share so it’s accessible from your PC.

For example:

login as: sshd
sshd@10.0.0.35's password:


BusyBox v1.20.2 (2014-11-10 10:40:57 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root@WDMyCloud root # cp /etc/samba/smb.conf /shares/Public/root@WDMyCloud root # unix2dos /shares/Public/smb.conf
root@WDMyCloud root #

 The file will be in your Public share which you can access via your PC, open via WORDPAD.

(unix2dos is a little program already installed that converts it from UNIX text formatting to Windows/DOS formatting)

1 Like

To save space here, I have cut and pasted a single share “aFamily”. After running the command you posted, I changed some Group membership and rights and ran the command again. The results are as follows:

Before:

[aFamily]
comment = Family - Real & Perceived
path = /mnt/HD/HD_a2/aFamily
browseable = yes
public = no
oplocks = yes
map archive = no
read list =
write list = “admin”,"@Admins",“rex”
invalid users = “nobody”,“dawn”,“family”
valid users = “admin”,"@Admins",“rex”

After: Added dan to @Family and @Family to read access aFamily Share
Note: Members of @Family are red, dan, dawn and family

[aFamily]
comment = Family - Real & Perceived
path = /mnt/HD/HD_a2/aFamily
browseable = yes
public = no
oplocks = yes
map archive = no
read list = “@Family
write list = “admin”,"@Admins",“rex”
invalid users = “nobody”,“dawn”,“family”
valid users = “@Family”,“admin”,"@Admins",“rex”

If the users dawn and family are in the @Family, why are they listed as invalid users?

I guess that means the WD configuration UI screws it up. As the samba docs explain, an “invalid user” is denied access to a share regardless if their group allows access.

1 Like

I’ll take that question to the WD support staff. You’ve been a big help Tony. Thank you.

Hi, Is it possible to rescrict a share link only for specific users? In other words, can i set WD to force user to enter his credentials in order to see a folder or pictures?

When I set no access to specific folder and then trying to open that share link i get this:

This XML file does not appear to have any style information associated with it. The document tree is shown below.

<dir_contents>

<error_code>401</error_code>

<http_status_code>401</http_status_code>

<error_id>46</error_id>

<error_message>Share is inaccessible</error_message>

</dir_contents>

I was hoping that WD will offer me a login window or something?

spektr wrote:

Hi, Is it possible to rescrict a share link only for specific users? In other words, can i set WD to force user to enter his credentials in order to see a folder or pictures?

No… not in the way you’re describing…