dConstructing

Giving a ReadyNAS NV+ share a default user group

The Situation

There’s a Netgear ReadyNAS NV+ unit in the office here running ReadNAS Frontview 4.1.7 that houses files for multiple departments.

  • Account Dept Share
  • Sales Dept Share

The ReadyNAS NV+ has multiple groups established:

  • Accounting
  • Sales
  • Admin

Employees are put into one of these groups and the groups are given access to various shares (Admin has universal access):

  • Account Dept Share – Accounting
  • Sales Dept Share – Sales

The Problem

In time we started getting a lot of file access errors. There didn’t seem to be much rhyme or reason, but various uses could or couldn’t read or write to various directories. By the time we got around to fixing the issue, accessibility was a mess.

Troubleshooting

First I checked the security settings in ReadyNAS Frontview. Each share was set something like this:

CIFS

  • Default Access: Disabled
  • Write-enabled groups: Accounting (or this share’s related group), Admin
  • Automatically set permissions on new files and folders: checked
    • Files:
    • Group right: Read/write
    • Everyone rights: Read-only
    • Folders:
    • Group right: Read/write
    • Everyone rights: Read-only

Advanced Options

  • Share folder owner: admin (the username of the NAS admin)
  • Share folder group: Accounting (or this share’s related group)
  • Share folder owner rights: Read/write
  • Share folder group rights: Read/write
  • Share folder everyone rights: Read-only
  • Grant rename and delete privileges to non-owner of files: checked

To the best of my knowledge, these setting were right.
Next I checked the permissions of the files on the NAS. I logged in via SSH as the root user and navigated through the shares to examine the permission settings. I also had a user beside me creating files and directories in the locations I was interested in so I could see how permissions were set when a file or directory was created or modified.

Deductions

Every file or directory being created belonged to the user and the user’s default group. If the user was in multiple groups (like the admin) there were problems:

  • admin defaults to the Admin group: admin’s files could not be accessed by anyone who was not also in the Admin group.
  • admin defaults to the Accounting group: admin’s files could be accessed fine by other people in the Accounting group, but not by anyone in the Sales group.
  • admin defaults to the Sales group: admin’s files could be accessed fine by other people in the Sales group, but not by anyone in the Accounting group.

What Could be Done?

1) One way to do this would be to set every user’s default group to the same group (say, “users”) and assign any other groups as secondary groups. Accountants would have Accounting as a secondary group, and would therefore have access to the Accounting Dept Share. Once inside the share, all files and directories would be assigned to all users so anyone with access to the share would have access to it all.

2) Another way to do this would be to set the Group ID bit for the share directory. When the Group ID bit is set all new files and directories created within it are assigned to the parent directory’s group. That way, it doesn’t matter what the admin’s default group is. If they create a file or directory in the Sales Dept Share it will belong to the Sales group. The downside to this setup is that it can easily be undone. If someone gets in to ReadyNAS Frontview and saves the share settings with “Set ownership and permission for existing files and folders . . .” checked, the Group ID bit gets unset.

This is how you set the Group ID bit for a folder via the command line:

#> chmod g+s folder-name

3) One other method I heard of was to modify a config file to force a specific group on all new files and directories in a share. I never got a clear indication that it would work and I read that it was very easy to undo (even easier that method 2). Regardless, this is the file that would need to be changed on the ReadyNAS. You’ll have to log on to the NAS as root over SSH:

/etc/frontview/samba/Shares.conf

You would add this line to the end of the section that contains the configuration values for the share you’re wanting to modify:

force group = "@Accounting"

It would end up looking something like this:

[Accounting]
  path = /c/Accounting
  comment = "Accounting Files"
  force create mode = 0664
  create mask = 0664
  force directory mode = 0775
  directory mask = 0775
  admin users = "admin","Administrator"
  write list = "@Accounting","@Admin","admin","Administrator"
  valid users = "@Accounting","@admin","admin","Administrator","nobody"
  force group = "@Accounting"

Give it a shot. It shouldn’t hurt anything and should be easy to undo if it doesn’t work.

Conclusion

If I were setting this ReadyNAS up for the first time and had the foresight to anticipate this problem in the future, I’d probably use the first solution and set everyone to the user’s group by default. Because there was already so much directory infrastructure in place (and I’ve had complications editing file ownership directly via the command line), I opted to leave all that in place and use the second solution. It’s working well for the time being. If I have to go through and reconfigure the Group ID bit too often I just might end up converting to method 1.

Here’s the command I used to traverse a share directory recursively and set the Group ID bit:

#> find . -type d -exec chmod g+s {} \;

It finds all the directories below the current one and applies the chmod which adds the “s” to the group.

Here’s a before and after of the ls -l command via the command line:

drwxrwxr-x   10 admin    Accounti     4096 Jul 21 14:48 Payroll
drwxrwsr-x   10 admin    Accounti     4096 Jul 21 14:48 Payroll

Notice the execute permission on the group has been changed to an “s”. That means it’s set. You did it!

I hope this helps!