DSM-G600, DNS-3xx and NSA-220 Hack Forum

jayas · 2008-02-15 01:45:48

Hello,

I wanted access to shares on a group basis, with any user belonging to multiple groups. The web interface does not allow this to be done easily. Is this limitation of the interface or the underlying system?

For example, samba configuration is based on a list of user names for each share. However file and directory permissions are based on owner and group names. Try the following through the web interface:

1/ Create a group and include in this group all the users you want to access a particular share.

2/ Create the share and select this group in the Network Access Settings page.

3/ Now change the membership of this group by adding or deleting users.

This results in a strange situation -- the original members of the group can access the share (before the group membership was changed), but the permission of the new files created has group permissions corresponding to current members of the group.

Are group permissions relevant for purposes of mounting shares given by default objects are created with full permissions for owner, group and others?

If group permissions are not relevant, then this is a workaround for limitation on group membership?

Jaya

Last edited by jayas (2008-02-15 01:47:53)

Holden · 2008-04-16 03:30:02

Hi,

I encountered a similar dilemma. Not being familiar with Linux in general I struggled for a few days to figure out what was possible.

As far as I can tell, the web GUI is the limiting factor regarding sharing by groups. I have not yet looked at the scripts behind the web interface but suspect it only configures /etc/samba/smb.conf (the samba configuration file) by referencing only the /etc/passwd file (instead of also managing the file /etc/group). I found the underlying OS can support file and directory permissions by standard (user, group, other) permissions on the ext2 partition. The version of samba on the 1.04 firmware supports share permissions by groups discrete by read or write.

Configuring group level share permissions required manually editting smb.conf through a telnet console (set up automatically by the installation of funplug). File/directory permissions were set via chmod, chown. Users and groups were managed via addgroup, adduser, deluser, delgroup.

The relevant smb.conf settings were:

[ global ]
security = USER # the default Dlink settting is SHARE

[ sharename ]
comment =
path = /mnt/HD_a2/publicshare
valid users = @sharegroup-RW, @sharegroup-RO
read list = @sharegroup-RO
write list = @sharegroup-RW
read only = no
guest ok = no
oplocks = no
map archive = no

Probably easiest to do share level permissioning rather than file level permissioning. i.e. set the group owner of all files and directories to root. The issue with this is that if you created shares nested within subfolders the subfolder share permissions should be set to line up with parent folder share permissions. Easily solved by flattening the folder hierarchy.

Note: the above manual configuration breaks the Network Access portion of the web interface (for managing shares) causing it to fail displaying properly.

Holden

mig · 2008-04-16 09:46:02

Jayas, Holden, remember that any changes to smb.conf, passwd or groups will be over written
by the versions in the NVRAM on the next reboot. So, you need to create fun_plug scripts that will
recreate your customizations (or just copy a saved custom file over the NVRAM ones) each
reboot. And don't forget you need to restart the samba process so it will re-read the new config
file.

Holden · 2008-04-17 15:08:45

Thanks. I forgot to mention I also use sambafix.sh posted elsewhere in these forums to modify a copy of smb.conf in /mnt/HD_a2/ffp/etc/samba, copy it over /etc/samba/smb.conf and run 'smb restart'.

I did however forgot to also copy over passwd and group which I will now correct. Thanks for the reminder. Does the OS load passwd and group upon boot or dynamically and repeatedly as it executes? The former means a reboot would also be necessary to force the load of the modified files.

mig · 2008-04-17 18:06:23

/etc/passwd and /etc/group are not loaded at boot, they are reference
as needed by any authentication processes. So changes, such as adduser,
will be effective immediately without needing a reboot.

Last edited by mig (2008-04-17 18:09:27)

fsjmike · 2008-08-13 18:14:12

OK, how do you edit the passwd file to specify what groups each user belongs to? Or is there another way to do it?
Here's my passwd file:
root:x:0:0:Linux User,,,:/home/root:/ffp/bin/sh
admin:x:500:500:Linux User,,,:/home/admin:/ffp/bin/sh
nobody:x:501:501:Linux User,,,:/home/nobody:/ffp/bin/sh
Majid:x:502:702:QuickBooks:/home/ftp:/ffp/bin/sh
Gemma:x:503:702:QuickBooks:/home/ftp:/ffp/bin/sh
Kathy:x:505:702:QuickBooks:/home/ftp:/ffp/bin/sh
Shipping:x:506:704:Everyone:/home/ftp:/ffp/bin/sh
Lin:x:507:704:Everyone:/home/ftp:/ffp/bin/sh
Production:x:508:704:Everyone:/home/ftp:/ffp/bin/sh
Mike:x:509:704:Everyone:/usr/share/ftp_server:/bin/sh

right now each user is only in 1 group.

Thanks!

Mike

Holden wrote:
The relevant smb.conf settings were:

[ global ]
security = USER # the default Dlink settting is SHARE

[ sharename ]
comment =
path = /mnt/HD_a2/publicshare
valid users = @sharegroup-RW, @sharegroup-RO
read list = @sharegroup-RO
write list = @sharegroup-RW
read only = no
guest ok = no
oplocks = no
map archive = no

Holden

fonz · 2008-08-13 18:20:02

The passwd file only records the 'main' group. Additional group memberships are kept in /etc/group.

NAME
group - user group file

DESCRIPTION
/etc/group is an ASCII file which defines the groups to which users belong. There is one entry per line, and each line has the format:

group_name:passwd:GID:user_list

The field descriptions are:

group_name
the name of the group.

password
the (encrypted) group password. If this field is empty, no password is needed.

GID the numerical group ID.

user_list
all the group member's user names, separated by commas.

leech1980 · 2008-09-12 05:13:29

I tried this with no success. Do I have to reboot for changes to take effect?

fonz wrote:
The passwd file only records the 'main' group. Additional group memberships are kept in /etc/group.

NAME
group - user group file

DESCRIPTION
/etc/group is an ASCII file which defines the groups to which users belong. There is one entry per line, and each line has the format:

group_name:passwd:GID:user_list

The field descriptions are:

group_name
the name of the group.

password
the (encrypted) group password. If this field is empty, no password is needed.

GID the numerical group ID.

user_list
all the group member's user names, separated by commas.

DSM-G600, DNS-3xx and NSA-220 Hack Forum

Announcement

#1 2008-02-15 01:45:48

re: can users belong to multiple groups for mounting shares?

#2 2008-04-16 03:30:02

Re: re: can users belong to multiple groups for mounting shares?

#3 2008-04-16 09:46:02

Re: re: can users belong to multiple groups for mounting shares?

#4 2008-04-17 15:08:45

Re: re: can users belong to multiple groups for mounting shares?

#5 2008-04-17 18:06:23

Re: re: can users belong to multiple groups for mounting shares?

#6 2008-08-13 18:14:12

Re: re: can users belong to multiple groups for mounting shares?

Holden wrote:

#7 2008-08-13 18:20:02

Re: re: can users belong to multiple groups for mounting shares?

#8 2008-09-12 05:13:29

Re: re: can users belong to multiple groups for mounting shares?

fonz wrote:

Board footer