How do I stop OVM from giving RW rights to anyone on the LAN?
Posted by Niouke@reddit | linuxadmin | View on Reddit | 16 comments
My context is a home filesharing server, and I would like to stop my family from deleting important stuff by error, and ideally to stop them from accessing some files.
My question is for both NFS or SMB access, my goal is have a couple login/pass combos with different RW rights for different shares. From my understanding a lot rides on UID's, but It is a hassle to setup custom groups and users with weird IDs on the clients with no real security gains. Likewise making a IP whitelist is simple but doesn't protect me from accidental deleting.
Is it possible to prompt the windows/linux clients with a login/pass request before accessing anything?
rb_vs@reddit
Suggesting LDAP or Kerberos for a home family share is massive overkill. You don't need a domain controller to stop accidental deletions.
The simplest way to handle this in OMV is to separate share permissions from filesystem permissions (ACLs).
1) SMB/NFS level: set the family share to read only for their specific user accounts. This forces a password prompt on Windows/Linux if they try to write/delete.
2) Filesystem level: use the sticky bit on your important folders. Just like the /tmp directory in Linux, the sticky bit allows users to write files but prevents them from deleting or renaming files they didn't create.
3) The recycle bin trick: in OMV’s SMB settings, enable the recycle bin for that share. If they do delete something by error, it isn't purged from the disk, it just moves to a hidden .recycle folder that only you have access to.
This solves your accidental deletion problem without you having to manage UIDs across every client or setting up an enterprise auth server.
Fun-Currency-5711@reddit
Probably an overkill but wouldn’t ldap work?
altodor@reddit
I was actually going to suggest Kerberos. One of the auth methods NFS and SMB both share support for is Kerberos. If LDAP is overkill Kerberos is double extra overkill, but it sure is what solves the problem.
Niouke@reddit (OP)
well being a windows admin trade that'd work for me. I guess I need to install a ldap server on my ovm server and install a plugin?
zantehood@reddit
Freeipa is awesome for this
gribbler@reddit
I like UCS better than FreeIPA
zantehood@reddit
Not familiar with that. But i generally fangirl at redhat things
gribbler@reddit
FreeIPA was overly complicated imho, i replaced it at the office with UCS after someone here mentioned UCS to me last year. Very happy with it.
zantehood@reddit
Never heard about UCS? dont think think fipa was that hard
gribbler@reddit
I didn't say hard, just overly complex. I've been doing Unix professionally for 30 years and I hadn't heard of it..
https://www.univention.com/products/ucs/
zantehood@reddit
Looks cool! And yeah some aspects of fipa are a pita..
gribbler@reddit
Honestly I kept saying how have I never heard of this? Simple, clean interface. I guess because it came from the German educational industry it hasn't had a lot of exposure, I keep finding myself impressed after a year
drunkenjunkconstruct@reddit
pulled my hair out with this same thing, ended up yanking the "users" group from shared folder perms and setting explicit ACLs via setfacl
seiha011@reddit
Is that perhaps covered by this? https://wiki.omv-extras.org/doku.php?id=omv7:nas_permissions_omv7
Niouke@reddit (OP)
thanks it looks like it will do the trick or at least I will learn something
seiha011@reddit
Have fun