Issue: Somehow, at sometime, I messed up my directory permissions structure and currently everyone in the company has full access to all directories (including ones with sensitive information).
Our system is primarily a Samba Server. The original directory group and permission structure that I want to re-establish on the system is in the table below.
Directory / Subdirectory
Group
ArchivedProjects
allstaff
ArchivedToDVD
allstaff
CorporateAdmin
Subdirectories labeled separately as listed below.
\401k
401k
\Accounting
acct
\BOD-Shareholder
shares
\HumanRes
acct
\Insurance
acct
\Operations
shares
\YearEnd
shares
Marketing
allstaff
Projects
allstaff
Reference
allstaff
ScCS 2013
allstaff
StaffAdmin
allstaff
Goal: I would like to get the directory permission structure reset to my original setup without messing something else up, and am looking for some specific guidance to do that.
We have a small company and I am sure no one has noticed they may now have access to some of the sensitive files, but I am adding some new staff to the network and I want to make sure to fix this before they start working on the network.
When I look at the directory structure and permissions via WinSCP here are some examples of what the current system looks like.
The /Projects directory that should be accessible to all staff.
Given that it does mention “Inherit” i’m going to assume this is nfs4acl.
If you use nfsv4 type acl you typically want to administer via smb. But you do have “@group” rules which doesn’t place nicely with the windows ui. Maybe that is why you’re using winscp, to change group of folders?
I think you might want to delete the “everyone@” rule or set their “Permissions” to none. But I can’t know what exact permissions you need, only you know what users need access to what.
Poking around the TrueNAS GUI I don’t see anything that clearly identifies specific ACL types, so I don’t know if your assumption of nfs4acl is correct. If there is somewhere else I should be looking, please let me know.
I only presented the screen shots of WinSCP because I knew that to be something that could show the most information in one spot. I have used Linux systems in the past and could use the command line to “manage” the groups and permissions if that is most appropriate.
I presented a table in my initial posting that described exactly what the goal is that I am trying to achieve. The WinSCP screen shots represent the existing situation. What I am looking for is how to get from the existing situation to the goal, without messing something else up.
You should expect some breakage. Because you are going to to reduce people permissions you should expect breakage. Its always better to assume that you’re going to break things and take that into consideration when planning. This includes making the changes in a proper maintenance window when nobody is working, make some test users to test the permission, creating a snapshot before making any changes, etc.
Because you might be unfamiliar with how the permission system works and/or how it is configured I would suggest creating a test dataset as a playground. You can freely play around with permissions there without taking any risks.
If you want some suggestions on dataset permissions:
group: administrators, full control, inherit
group: allstaff, read-only, no inheritance
This is kind of configuration is useful if you don’t want users to create top-level folders. This also only gives “allstaff” permission to list the top-level folders, without giving them access to.
Then, for each top-level folder manage the permission using file explorer while being connected as a user in the “administrator” group. Setup ACL like follows:
group administrators: full control with inheritance
write access to the group that should have read/write access (with inheritance, or in windows parlance “applies to This folder, subfolders and files”)
Disclaimer: I take no responsibility for any damages that might occur
