Wednesday, 1 September 2010

How to Setup ReadyNAS Permissions

There have been many questions on the ReadyNAS forum regarding how to setup file sharing permissions when running a NAS with User security mode.

I have written a short overview, below, of the key share access & permissions settings available in Frontview when setting up a share & what they do, the misunderstanding of which is commonly the reason users have permission related issues.

All of the examples posted relate to CIFS access, but the settings apply equally to AFP and FTP access.

This information was originally posted here in response to one of the many such queries on the ReadyNAS forum.


Share Access Restrictions:


The first options visible when configuring share settings are the "Share Access Restrictions" as shown here:



It is often overlooked, but as the dialog states this only controls whether a user or host can, or cannot, access the share. It does NOT control the permissions of any files or folders created within the share.

Using this dialog is the easiest way to grant or deny user access to a specific share. For example, a common technique is to set the share default access rights to Read-Only so that any user with an account on the NAS can read the data in the share, but to then add the names of individual users to the "Write-enabled users" section such that those specific users also have full read-write capability. Using the method does not require groups or other permissions to be specified.

Advanced Permissions


Once a user has been granted write access to a share as controlled by the above settings, by default the permissions of files and folders created by the user within the share are set to only be writable by the owner/creator, but readable by all users with access to the share. This can be changed via the settings that appear below "Share Access Restrictions" - for example:



Note this is the section of the share setup that actually controls the permissions of files and folders created within the share. The Group that is referred to in "Group Rights" (above) is the primary group of the owner of the file which is typically set when creating the user account :



The above information can be accessed, and the Primary Group set/changed, in Frontview » Security » User & Group Accounts

Fixing Permissions


Any changes made to the Advanced Permissions dialog will only affect files & folders created after the change has been made. This may mean that there is existing data in a share that has inappropriate permission settings. This can be rectified via the "Advanced Options" tab.

In the dialog box that appears when selecting that tab (see below) ensure the group and everyone rights are set to read/write and check the option "Set ownership and permission for existing files and folders..." Click apply and wait for the dialog to state all is fixed.


Notes:

  • Once fixed, the option "Set ownership and permission for existing files and folders..." will be unchecked - this is normal.

  •  The folder owner and group settings shown are the defaults, but largely irrelevant if "everyone rights" are being set to Read/Write as shown in the example.

  • The folder group  only specifies the primary group of the share which can have implications for share access. It does not determine the group of  the files and folders stored within the share unless the "Set ownership and permission for existing files and folders..." is set & applied

More Comprehensive Guide


The above explanation provides a basic overview of how ReadyNAS access and permissions are controlled. For a more comprehensive explanation, forum contributor bert386 wrote a guide on this which is available here:


Some notes about the guide:
  • I emphasise that I did not write it, nor do I have access to the original editable document. Therefore I cannot correct any errors or inaccuracies in the guide which is hosted here purely as a convenience for the many users that have found it useful.

  • The guide refers to a "Share Security Mode" - this is only supported on earlier Sparc based ReadyNAS and so all x86 ReadyNAS users (eg Ultra, Pro, NVX users) can ignore these references as those NAS only support User security mode.

    • Pro models do support Active Directory Integration also, but that is different topic entirely and beyond the scope of this post

  • To those Sparc-based ReadyNAS users who do switch from Share Security Mode to User Security Mode as recommended in the guide, a more convenient way to do this is described here

Even more details...


If you need to get into the real low level nitty-gritty of how ReadyNAS Access and Permissions work, a detailed overview of how permissions are implemented in ReadyNAS devices, see this post


23 comments:

  1. Thanks for the manual and I have a quick question.
    In Step 4, the screenshot for "abctrading" share has "accounts,sandm,users" in the Write-enabled groups.
    In the table at the end, it only lists "accounts,sandm" for the same share.
    I think the table is correct since all users will belong to the "users" group and it should not be included to correctly restrict access for this share.

    ReplyDelete
  2. From my reading of the guide, I would agree - including "users" in the write-enabled groups would enable all users to access the share which is clearly not the intent of the example. So the table would appear to be correct

    ReplyDelete
  3. You are both correct
    Apologies.... :(

    ReplyDelete
  4. This is great stuff - something that Netgear should have included in their docs. I have one question. I want to set up my ReadyNAS for home with admin, users, guests, and streaming media to the PS3. Can you comment about the streaming media to the PS3? Can I get it in user mode? What kind of set up is needed? Or is streaming media only available in share mode? Thanks again.

    ReplyDelete
  5. Streaming media directly from your NAS is a different topic entirely and usually enabled via a service running on your NAS (for example ReadyDLNA) which should mean that service has full access to your media.

    Permissions and access control is purely for when you are accessing your NAS via file sharing protocols such as CIFS, AFP or FTP, therefore Share vs User permissions mode is not relevant as that only determines the type of access/permissions controls available for file sharing access. Share mode is also only available on a very small number of older NAS models - all newer models (eg Ultra, Pro etc) only support the more capable User Mode

    ReplyDelete
  6. Streaming media is a different topic, but the video clips on the ReadyNAS is just data. It is not clear how this data can or cannot be made available to the users. For example, I might set up a guest account for you to exchange (FTP) data, but I don't want you to look at my video clips. It seems to me that a streaming service should be just another user on the ReadyNAS that is grated read access to the media share. None of this is explained in the doc.

    I followed your steps but found out that share name must be different than user name. Based on response from Netgear support, I can set up user first and enable private home shares. It is not clear to me how that is different than what you have described. In UNIX, if I'm user1, then my home directory is /home/user1. Is this the concept of private home shares? Why didn't you use private home shares?

    ReplyDelete
  7. You can access media in 2 ways: 1) by accessing via a standard protocol such as CIFS or AFP, in which case access is controlled just like any other data. Or 2) via a streaming service such as ReadyDLNA - however these services do not tend to offer access controls like CIFS or AFP and so covering this not relevant to a discussion pertaining to permissions.

    Homes shares are just like in Unix - each user has one which only they can access. This limited access restriction however means that there are no options that can be set pertaining to permissions and so again this is a not a topic that is particularly relevant to a discussion of how to setup access rights & permissions for sharing data. I'm unsure what you are referring to by "Why didn’t you use private home shares?" as I haven't described my specific share setup anywhere on this site

    ReplyDelete
  8. Thank you so much for this information. I have owned my ReadyNAS+ for 6 years. All these things are a mystery to me, and I've been so puzzled why I couldn't access the server from more than one computer since migrating to Win7. Why is the Forum so taken over by Geeks that can't help us poor network, server neophytes?

    The added problem I have is trying to back up my Ready NAS to attached USB drive. I've given up, and plug the back-up drive into my computer and then do a manual backup. Inconvenient, but it works, in case the NAS goes down. Any tips on that end?

    John

    ReplyDelete
  9. Glad the info helped

    You would have to elaborate on your USB issue before I could even hazard a guess

    ReplyDelete
  10. Just a word of thanks for your excellent guide for setting up permissions. I have been trying to set private users up for weeks and now, thanks to your guide havebeen able to easily and quickly set up private users.

    Thanks again

    Keith B

    ReplyDelete
  11. Hey. is it not possible to access a specific folder on the NAS, without use of any user/password login?

    ReplyDelete
  12. Grant guest access to the share and then you can access the share via CIFS and AFP without needing to enter login details. But it is not possible to just give such access to a specific folder within a share

    ReplyDelete
  13. sorry, i meent a Share..
    i tried that, in CIFS , with default access "read/write" and a check mark in "Allow guest access", and every time i started my computer, it need the login info ..

    ReplyDelete
  14. just to access the NAS by LAN , the after a reboot/startup i need to type in a login

    ReplyDelete
  15. sphardy, many thanks for your original "How to guide..". You have helped me sort my problem out after hours of frustration.

    Thank you.

    Regards

    Andy

    ReplyDelete
  16. Hi

    I have a question.

    I have a folder called clients which is set up for guest access. anybody within the network can map to it. within this folder are several folder and files. The problems i face is ive got one user who can map and go into all the folders within the clients folder. But there are some folders where he cannot delete files or create folders Why is that?. What i have noticed if i copy the offending folders over to the desktop of the PC with access problem and copy back the problem goes away. I hope there is enough information below to shed so light .

    Thanks

    Default access : Read/write
    Allow Guest Access: yes
    Automatically set permisisions on new files and folders : Yes (checked)
    Do not all allow ACL changes: no (unchecked)
    group rights: Read/Write
    Everyone Rights Read/Write

    Enable oplocks:Yes (checked)

    Advanced Options
    ---------------------
    Share folder name:clients
    Share folder group:nogroup

    group rights: Read/Write
    Everyone Rights Read/Write

    Set Ownership and Permission : NO (unchecked)
    Grant Rename and Delete: Yes (checked)

    ReplyDelete
  17. Your settings appear to be appropriate. I can guess of only 2 things:
    1. The files/folder causing the issue were created *before* you applied the above settings and so the permission settings were not appropriate at the time and have not been corrected since. Fix this by following the instructions in the post under the section "Fixing Permissions"

    2. You don't state what NAS or Firmware you are using, but there appear to be reports of x86 NAS running the 4.2.19 firmware experiencing some form of permissions issues similar to what you describe (I don't remember exactly as I don't use CIFS and haven't paid so much attention to the ReadyNAS forum discussions) Have a search there and perhaps post your issue if the first suggestion does not fix the problem

    ReplyDelete
  18. Sorry Missed that
    ReadyNas Duo
    Firmware 4.1.6

    if was to Set ownership and permission for existing files and folders on that all folders or just the troublesome one whats the worst that could happen. :)

    As regards to your first point. The folder was accessed a week ago by them and files were added.

    ReplyDelete
  19. Sorry - don't understand your response

    ReplyDelete
  20. Hi sphardy

    I hope you still read the comments on your blog. :-)
    I just got a ReadyNAS Duo v1 with firmware 4.1.10 and I have been reading (and trying to understand) a lot about how to set up access for other users - others than myself as admin.
    I'm really confused now, so please forgive me my question. I used to have a Synology NAS and that was much easier to set up...I think!

    What I have:
    I've got 2 shares "backup" and "media".
    In "media" I have 3 folders "Music", "Pictures" and "Videos"
    In "Videos" I have 5 folders. To make it easier I just call them 1, 2, 3, 4 and 5.

    What I would like to have:
    I have family videos in folder 1 and I would like to give my in-laws (in Spain) access to only THAT folder with FTP

    I have set up a user called John (father in-law), but I can't for the world find out how to just give him access to folder 1 (media/Videos/1) without giving him access to all the other folders on the NAS.

    I would prefer to have user login and not guest login.

    Does it make any sense???
    And I apologize again for this noob question which probably have been answered many times. I might have read it, but never understood it.

    Best regards

    Martin :-)

    ReplyDelete
  21. What you are attempting to do is not possible on ReadyNAS devices. Access can only be restricted at the share level rather than at the "folders-within-a-share" level. Read the above guides with that in mind and they may make more sense.

    ///sphardy

    ReplyDelete
  22. "What you are attempting to do is not possible on ReadyNAS devices"
    Okay. Thanks for clarifying that.
    I should have found out about that before I bought the NAS. So what I CAN do (first) to make it easier (for me and my father in-law) is just to make a share folder with the videos and then give him his username and password.
    I have read some of your other guides/how-to's on the blog, and I think there's a lot I can use.
    Thank you for your big work.

    Martin :-)

    ReplyDelete
  23. You can only restrict access to a share - not a folder. Therefore you must organise your data so that the data you plan to give your family access to is in a specific share. Data you do NOT want to give others access to needs to reside in a separate share (or shares)

    Then create a user account for each person and setup their access rights to each share using the "Share Access Restrictions" dialog as shown at the beginning of this post and described in the guide provided

    ReplyDelete