permisions and users group

whistlepigger · 30. August 2013

I have 2 groups of users: admins and regular-users. I would like members of admins to be able to see the files of admins and regular-users, but members of regular-users must not be able to see files of admins.

The problem is that when I create any user, the user is always a member of the "users" group. Furthermore, when I create a share, I cannot change the group to which the share belongs - it is always "users". This makes it impossible to use simple Linux group permissions, since admins and regular-users are both always in the "users" group. If I edit the user and uncheck "users", my action is ignored. I could use ssh and chgrp , but this is contrary to what is suggested by the GUI.

I'm trying to avoid using ACLs, since they present problems with hidden files, dot files, and attributes... but I can't see any way to use simple Linux group permissions. Am I missing something?

davidh2k · 30. August 2013

Where is the problem that admins and users are in the same group? Simply add a new one for the admins and your situation should be solved.

Zitat

2 shares
users admins

2 groups
gusers gadmins

access
users: gadmins gusers
admins: gadmins

Alles anzeigen

Greetings
David

whistlepigger · 30. August 2013

Thanks for the quick reply, David.

How are you setting the access? Using ACLs? As I mentioned, I was trying to avoid the extended Linux ACL. AM I correct in assuming that OMV does not let you assign any group (as in chgrp) other than "users" via the GUI, unless you use ACLs?

davidh2k · 30. August 2013

Iam using just one user but i will check you setup.
Give me some time to test it, ah and yes, iam using ACLs wirh just one user.

Greetings
David

davidh2k · 30. August 2013

Well, I'm running into a little trouble myself right now.

Priviliges only seem to work for the first group, at least for the admin group, which cannot access the user folder... users can access users folder.

But when I try to do it with ACLs I get an error:

Code

Error #4000: exception 'OMVException' with message 'Failed to execute command 'export LANG=C; setfacl -m 'default:user:administrator:0,user:administrator:0,default:user:david:0,user:david:0,default:user:kevin:0,user:kevin:0,default:user:test:0,user:test:0,default:user:testadmin:0,user:testadmin:0,default:user:testuser:0,user:testuser:0,default:user:admin:0,user:admin:0,default:user:avahi:0,user:avahi:0,default:user:backup:0,user:backup:0,default:user:bin:0,user:bin:0,default:user:bind:0,user:bind:0,default:user:daemon:0,user:daemon:0,default:user:Debian-exim:0,user:Debian-exim:0,default:user:ftp:0,user:ftp:0,default:user:games:0,user:games:0,default:user:gnats:0,user:gnats:0,default:user:irc:0,user:irc:0,default:user:libuuid:0,user:libuuid:0,default:user:libvirt-qemu:0,user:libvirt-qemu:0,default:user:list:0,user:list:0,default:user:lp:0,user:lp:0,default:user:mail:0,user:mail:0,default:user:man:0,user:man:0,default:user:messagebus:0,user:messagebus:0,default:user:minidlna:0,user:minidlna:0,default:user:mysql:0,user:mysql:0,default:user:news:0,user:news:0,default:user:nobody:0,user:nobody:0,default:user:ntp:0,user:ntp:0,default:user:openmediavault:0,user:openmediavault:0,default:user:plex:0,user:plex:0,default:user:postfix:0,user:postfix:0,default:user:proftpd:0,user:proftpd:0,default:user:proxy:0,user:proxy:0,default:user:root:0,user:root:0,default:user:snmp:0,user:snmp:0,default:user:sshd:0,user:sshd:0,default:user:statd:0,user:statd:0,default:user:sync:0,user:sync:0,default:user:sys:0,user:sys:0,default:user:tftp:0,user:tftp:0,default:user:uucp:0,user:uucp:0,default:user:vde2-net:0,user:vde2-net:0,default:user:www-data:0,user:www-data:0,default:user:xrdp:0,user:xrdp:0,default:group:admins:7,group:admins:7,default:group:david:0,group:david:0,default:group:testusers:7,group:testusers:7,default:group:adm:0,group:adm:0,default:group:audio:0,group:audio:0,default:group:avahi:0,group:avahi:0,default:group:backup:0,group:backup:0,default:group:bin:0,group:bin:0,default:group:bind:0,group:bind:0,default:group:cdrom:0,group:cdrom:0,default:group:crontab:0,group:crontab:0,default:group:daemon:0,group:daemon:0,default:group:Debian-exim:0,group:Debian-exim:0,default:group:dialout:0,group:dialout:0,default:group:dip:0,group:dip:0,default:group:disk:0,group:disk:0,default:group:fax:0,group:fax:0,default:group:floppy:0,group:floppy:0,default:group:fuse:0,group:fuse:0,default:group:games:0,group:games:0,default:group:gnats:0,group:gnats:0,default:group:irc:0,group:irc:0,default:group:kmem:0,group:kmem:0,default:group:kvm:0,group:kvm:0,default:group:libuuid:0,group:libuuid:0,default:group:libvirt:0,group:libvirt:0,default:group:libvirt-qemu:0,group:libvirt-qemu:0,default:group:list:0,group:list:0,default:group:lp:0,group:lp:0,default:group:mail:0,group:mail:0,default:group:man:0,group:man:0,default:group:messagebus:0,group:messagebus:0,default:group:minidlna:0,group:minidlna:0,default:group:mlocate:0,group:mlocate:0,default:group:mysql:0,group:mysql:0,default:group:netdev:0,group:netdev:0,default:group:news:0,group:news:0,default:group:nogroup:0,group:nogroup:0,default:group:ntp:0,group:ntp:0,default:group:openmediavault:0,group:openmediavault:0,default:group:operator:0,group:operator:0,default:group:plugdev:0,group:plugdev:0,default:group:postdrop:0,group:postdrop:0,default:group:postfix:0,group:postfix:0,default:group:proxy:0,group:proxy:0,default:group:root:0,group:root:0,default:group:sambashare:0,group:sambashare:0,default:group:sasl:0,group:sasl:0,default:group:shadow:0,group:shadow:0,default:group:snmp:0,group:snmp:0,default:group:src:0,group:src:0,default:group:ssh:0,group:ssh:0,default:group:ssl-cert:0,group:ssl-cert:0,default:group:staff:0,group:staff:0,default:group:sudo:0,group:sudo:0,default:group:sys:0,group:sys:0,default:group:tape:0,group:tape:0,default:group:tftp:0,group:tftp:0,default:group:tty:0,group:tty:0,default:group:users:0,group:users:0,default:group:utempter:0,group:utempter:0,default:group:utmp:0,group:utmp:0,default:group:uucp:0,group:uucp:0,default:group:vde2-net:0,group:vde2-net:0,default:group:video:0,group:video:0,default:group:voice:0,group:voice:0,default:group:www-data:0,group:www-data:0,default:group:xrdp:0,group:xrdp:0,default:user::7,user::7,default:group::7,group::7,default:other::5,other::5' '/media/ca425484-1be3-47f1-b7bb-8f0785c9ea5b/users/' 2>&1': setfacl: /media/ca425484-1be3-47f1-b7bb-8f0785c9ea5b/users/: Invalid argument' in /usr/share/openmediavault/engined/rpc/sharemgmt.inc:1007 Stack trace: #0 [internal function]: OMVRpcServiceShareMgmt->setFileACL(Array, Array) #1 /usr/share/php/openmediavault/rpcservice.inc(125): call_user_func_array(Array, Array) #2 /usr/share/php/openmediavault/rpc.inc(62): OMVRpcServiceAbstract->callMethod('setFileACL', Array, Array) #3 /usr/sbin/omv-engined(495): OMVRpc::exec('ShareMgmt', 'setFileACL', Array, Array, 1) #4 {main}

Volker?

Edit: 0.5.6 update already applied.

Greetings
David

whistlepigger · 30. August 2013

Hi David,

I have upgraded to 0.5.6 as well. I am not seeing this error - but I do not have any services on other than SMB/CIFS and ssh. Now that 0.5.6 is explicitly marking unchecked permissions as "no access", there seems to be different behavior (see my post in Installation).

Brian

davidh2k · 30. August 2013

Which post?

Greetings
David

whistlepigger · 30. August 2013

Hi David

see: http://forums.openmediavault.org/viewtopic.php?f=16&t=2515

davidh2k · 30. August 2013

Well, then I guess we should wait for a reply from Volker or some of the other mods...

Greetings
David

whistlepigger · 1. September 2013

David,

While we wait for Volker...

If I create a Share in the OpenMediaVault GUI, and then examine the directory structure via ssh, I see that there are no extended permissions on the directory (no +). However, once I click on ACL, even if i leave everything unchanged, but still click on Apply, then the directory is given extended permissions. How can I remove these? Shouldn't we have a checkbox somewhere that says "Use ACL" ? Recall that my original issue here was how to setup permissions using groups, and whether to use ACL or not...

votdev · 2. September 2013

Zitat von "whistlepigger"

I have 2 groups of users: admins and regular-users. I would like members of admins to be able to see the files of admins and regular-users, but members of regular-users must not be able to see files of admins.

The problem is that when I create any user, the user is always a member of the "users" group. Furthermore, when I create a share, I cannot change the group to which the share belongs - it is always "users". This makes it impossible to use simple Linux group permissions, since admins and regular-users are both always in the "users" group. If I edit the user and uncheck "users", my action is ignored. I could use ssh and chgrp , but this is contrary to what is suggested by the GUI.

Users created via WebGUI are ALWAYS in the group 'users'. This is a wanted behaviour.

votdev · 2. September 2013

Zitat von "davidh2k"

Well, I'm running into a little trouble myself right now.

Priviliges only seem to work for the first group, at least for the admin group, which cannot access the user folder... users can access users folder.

But when I try to do it with ACLs I get an error:

Code

Error #4000: exception 'OMVException' with message 'Failed to execute command 'export LANG=C; setfacl -m 'default:user:administrator:0,user:administrator:0,default:user:david:0,user:david:0,default:user:kevin:0,user:kevin:0,default:user:test:0,user:test:0,default:user:testadmin:0,user:testadmin:0,default:user:testuser:0,user:testuser:0,default:user:admin:0,user:admin:0,default:user:avahi:0,user:avahi:0,default:user:backup:0,user:backup:0,default:user:bin:0,user:bin:0,default:user:bind:0,user:bind:0,default:user:daemon:0,user:daemon:0,default:user:Debian-exim:0,user:Debian-exim:0,default:user:ftp:0,user:ftp:0,default:user:games:0,user:games:0,default:user:gnats:0,user:gnats:0,default:user:irc:0,user:irc:0,default:user:libuuid:0,user:libuuid:0,default:user:libvirt-qemu:0,user:libvirt-qemu:0,default:user:list:0,user:list:0,default:user:lp:0,user:lp:0,default:user:mail:0,user:mail:0,default:user:man:0,user:man:0,default:user:messagebus:0,user:messagebus:0,default:user:minidlna:0,user:minidlna:0,default:user:mysql:0,user:mysql:0,default:user:news:0,user:news:0,default:user:nobody:0,user:nobody:0,default:user:ntp:0,user:ntp:0,default:user:openmediavault:0,user:openmediavault:0,default:user:plex:0,user:plex:0,default:user:postfix:0,user:postfix:0,default:user:proftpd:0,user:proftpd:0,default:user:proxy:0,user:proxy:0,default:user:root:0,user:root:0,default:user:snmp:0,user:snmp:0,default:user:sshd:0,user:sshd:0,default:user:statd:0,user:statd:0,default:user:sync:0,user:sync:0,default:user:sys:0,user:sys:0,default:user:tftp:0,user:tftp:0,default:user:uucp:0,user:uucp:0,default:user:vde2-net:0,user:vde2-net:0,default:user:www-data:0,user:www-data:0,default:user:xrdp:0,user:xrdp:0,default:group:admins:7,group:admins:7,default:group:david:0,group:david:0,default:group:testusers:7,group:testusers:7,default:group:adm:0,group:adm:0,default:group:audio:0,group:audio:0,default:group:avahi:0,group:avahi:0,default:group:backup:0,group:backup:0,default:group:bin:0,group:bin:0,default:group:bind:0,group:bind:0,default:group:cdrom:0,group:cdrom:0,default:group:crontab:0,group:crontab:0,default:group:daemon:0,group:daemon:0,default:group:Debian-exim:0,group:Debian-exim:0,default:group:dialout:0,group:dialout:0,default:group:dip:0,group:dip:0,default:group:disk:0,group:disk:0,default:group:fax:0,group:fax:0,default:group:floppy:0,group:floppy:0,default:group:fuse:0,group:fuse:0,default:group:games:0,group:games:0,default:group:gnats:0,group:gnats:0,default:group:irc:0,group:irc:0,default:group:kmem:0,group:kmem:0,default:group:kvm:0,group:kvm:0,default:group:libuuid:0,group:libuuid:0,default:group:libvirt:0,group:libvirt:0,default:group:libvirt-qemu:0,group:libvirt-qemu:0,default:group:list:0,group:list:0,default:group:lp:0,group:lp:0,default:group:mail:0,group:mail:0,default:group:man:0,group:man:0,default:group:messagebus:0,group:messagebus:0,default:group:minidlna:0,group:minidlna:0,default:group:mlocate:0,group:mlocate:0,default:group:mysql:0,group:mysql:0,default:group:netdev:0,group:netdev:0,default:group:news:0,group:news:0,default:group:nogroup:0,group:nogroup:0,default:group:ntp:0,group:ntp:0,default:group:openmediavault:0,group:openmediavault:0,default:group:operator:0,group:operator:0,default:group:plugdev:0,group:plugdev:0,default:group:postdrop:0,group:postdrop:0,default:group:postfix:0,group:postfix:0,default:group:proxy:0,group:proxy:0,default:group:root:0,group:root:0,default:group:sambashare:0,group:sambashare:0,default:group:sasl:0,group:sasl:0,default:group:shadow:0,group:shadow:0,default:group:snmp:0,group:snmp:0,default:group:src:0,group:src:0,default:group:ssh:0,group:ssh:0,default:group:ssl-cert:0,group:ssl-cert:0,default:group:staff:0,group:staff:0,default:group:sudo:0,group:sudo:0,default:group:sys:0,group:sys:0,default:group:tape:0,group:tape:0,default:group:tftp:0,group:tftp:0,default:group:tty:0,group:tty:0,default:group:users:0,group:users:0,default:group:utempter:0,group:utempter:0,default:group:utmp:0,group:utmp:0,default:group:uucp:0,group:uucp:0,default:group:vde2-net:0,group:vde2-net:0,default:group:video:0,group:video:0,default:group:voice:0,group:voice:0,default:group:www-data:0,group:www-data:0,default:group:xrdp:0,group:xrdp:0,default:user::7,user::7,default:group::7,group::7,default:other::5,other::5' '/media/ca425484-1be3-47f1-b7bb-8f0785c9ea5b/users/' 2>&1': setfacl: /media/ca425484-1be3-47f1-b7bb-8f0785c9ea5b/users/: Invalid argument' in /usr/share/openmediavault/engined/rpc/sharemgmt.inc:1007 Stack trace: #0 [internal function]: OMVRpcServiceShareMgmt->setFileACL(Array, Array) #1 /usr/share/php/openmediavault/rpcservice.inc(125): call_user_func_array(Array, Array) #2 /usr/share/php/openmediavault/rpc.inc(62): OMVRpcServiceAbstract->callMethod('setFileACL', Array, Array) #3 /usr/sbin/omv-engined(495): OMVRpc::exec('ShareMgmt', 'setFileACL', Array, Array, 1) #4 {main}

Volker?

Edit: 0.5.6 update already applied.

Greetings
David

Alles anzeigen

Please open a new bugreport and describe how to reproduce this error.

Jetzt mitmachen!