AFP, Permissions and User Home Folder

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
Tazintosh
Starting out
Posts: 28
Joined: Mon Feb 02, 2015 8:53 pm

AFP, Permissions and User Home Folder

Post by Tazintosh » Mon Jun 20, 2016 6:12 am

Hello guys,

I would love (really, this would be much appreciated) to get a clear explanation from you about what's going on here:

I've a Mac mini running a LDAP Server and my QNAP TS-651 is linked to this LDAP. All my users are created on the Mac mini, there is only one physical user on the NAS which is the default "admin".
I've set all my user home folder permissions on the NAS to 711.
When a user log-in using AFP to the NAS, I've noticed that it's home folder (stored on the NAS) gets it's permissions set to 777 which to me sounds critical.

When I log-in from my Mac to another Mac using AFP, the user home folder obviously never had it's permissions changed.

Do you know what's happening, why, and how to fix it?

For now, this is what I tried:

• By default, I had only set my permissions to the basic unix way 711, no ACLs. It was like this:

Code: Select all

[/share/homes] # getfacl myUser    
# file: myUser
# owner: myUser
# group: staff
user::rwx
group::--x
other::--x


• After login in AFP, this is how permissions have been changed:

Code: Select all

[/share/homes] # getfacl myUser
# file: myUser
# owner: myUser
# group: staff
user::rwx
group::rwx
other::rwx
default:user::rwx
default:user:myUser:rwx
default:group::rwx
default:mask::rwx
default:other::rwx


• So I've decided to set ACLs to myUser like so (using setfacl -m command):

Code: Select all

[/share/homes] # getfacl myUser              
# file: myUser
# owner: myUser
# group: staff
user::rwx
group::--x
other::--x
default:user::rwx
default:user:myUser:rwx
default:group::--x
default:mask::rwx
default:other::--x


• But when I login back, the permissions are changed to:

Code: Select all

[/share/homes] # getfacl myUser
# file: myUser
# owner: myUser
# group: staff
user::rwx
group::rwx
other::rwx
default:user::rwx
default:user:myUser:rwx
default:group::--x
default:mask::rwx
default:other::--x


Thanks in advance for your help and support.

User avatar
schumaku
Guru
Posts: 43673
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: AFP, Permissions and User Home Folder

Post by schumaku » Mon Jun 20, 2016 5:32 pm

What's the point? No other user but admin will gain access to the /share/homes/DOMAIN=WHATEVER/ path - as it's not local to any Mac, and supposedly not NFS exported.

Tazintosh
Starting out
Posts: 28
Joined: Mon Feb 02, 2015 8:53 pm

Re: AFP, Permissions and User Home Folder

Post by Tazintosh » Mon Jun 20, 2016 5:52 pm

Hello schumaku and thanks for your answer.
I'm surprised…
These home user folders are indeed also auto mounted as NFS too… So the point is real and serious. Honestly, I don't see why I should not be "supposed to" provide sftp service to my user or whatsoever. They are using the same home directory (stored on the NAS) even if logged-in directly on the Mac or the NAS.
If I'm logging to my Mac mini with my user in sftp for instance, it's home folder is auto mounted from the NAS in NFS.
No permissions issue using this method. None of the permissions of the home directory are changed doing so. This is working perfectly.
But if I go up one level, I'll be able to list other user home folders. If anyone of them did previously logged using AFP, I'll be able to delete their home folder. This is quite a serious issue to me. No?

User avatar
schumaku
Guru
Posts: 43673
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: AFP, Permissions and User Home Folder

Post by schumaku » Mon Jun 20, 2016 11:20 pm

The complete home folder feature is not available to NFS - because of the path is dynamic based on the authenticated user ... and there is no such thing when using NFS.

Tazintosh wrote:But if I go up one level, I'll be able to list other user home folders. If anyone of them did previously logged using AFP, I'll be able to delete their home folder. This is quite a serious issue to me. No?
There is no one up when accessing the /home on the nas as a myUser, myUser1, myUser2, myUser3 - the /home is automatically mapped to /share/homes/myUser[|1|2|3] /homes is never in the play, except probably for high level administrators.

Tazintosh wrote:If I'm logging to my Mac mini with my user in sftp for instance, it's home folder is auto mounted from the NAS in NFS.
Because of the home folder feature is implemented differently there. The QNAP NAS home folder is automatically made available to ftp, smb, afp, FIle Station only.

Tazintosh
Starting out
Posts: 28
Joined: Mon Feb 02, 2015 8:53 pm

Re: AFP, Permissions and User Home Folder

Post by Tazintosh » Mon Jun 20, 2016 11:57 pm

Ok, I've probably completely miss expressed myself here, because your answer have no relation to what I'm trying to explain.
I'll try to explain it another way…

• I've a Mac mini running a LDAP Server and my QNAP TS-651
• The Mac is handling all users and is also running a LDAP
• The NAS has only on local user "admin". All other users gets identified through LDAP
• All homes directories of my users are physically stored on the NAS (it's not default behavior obviously, I did set it this way). This means that when a user log-in using SFTP to the Mac, it's home folder is automatically made available through NFS, from the NAS. This is working perfectly without issues, neither permissions changes of the user home folder.
• If a user decide to log-in on the NAS (which is not the Mac) using AFP, the NAS will automatically map to the right user folder (as you said). BUT, it will modify it's permissions to 777 while I set them to 711.
Now and only now, if a user log-in using SFTP to the Mac, it could decide to go on level up (sorry but yes, level up is possible by default in SFTP). If doing so, he will land up on the list of other user homes that could have been previously auto mounted by the system. It's right in front of my eyes here, so it's definitely possible. With 777 permissions given on home folder of users that were previously logged using AFP, a user home directory could be instantly deleted. And I did deleted one test user, so yes, it's critical.

I hope I made the situation more clear. :? :geek:
Anyway, we are debating of something I never asked for, at first.
My question was basically the following: "people login in AFP to the NAS gets their home folder permissions changed from 711 to 777, how to prevent that from happening?".
I've never asked for an opinion, I asked for an help on the solution or an explanation, because to me, changing home user permission is definitely not a behavior I would normally expect.

User avatar
schumaku
Guru
Posts: 43673
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: AFP, Permissions and User Home Folder

Post by schumaku » Tue Jun 21, 2016 3:48 pm

The QNAP-forced setting of the shared folder U*x permission was disputed several times. There are several reasons - mainly to achieve the universal sharing ability. One point where this does become an issue is when using SSH keys stored in the home folder - the SSH maintainers are still stuck in pure U**x permissions only, requiring a certain mask, too - Unix from 1970.

If the Mac would mount NFS with ACL support (what should be default in the year 2016) ... the issue would (in my opinion) not exist at all, because of the ACLs would limit the access.

Tazintosh
Starting out
Posts: 28
Joined: Mon Feb 02, 2015 8:53 pm

Re: AFP, Permissions and User Home Folder

Post by Tazintosh » Tue Jun 21, 2016 4:56 pm

Thanks schumaku

Tazintosh
Starting out
Posts: 28
Joined: Mon Feb 02, 2015 8:53 pm

Re: AFP, Permissions and User Home Folder

Post by Tazintosh » Wed Jul 06, 2016 2:27 pm

Ok, to kick the ** out of this, I've "chrooted" my users when they connect to the Mac mini.
That way, they cannot "leave" (go up on the hierarchy) their home folder. So even if the home folder have been set to 777 by the NAS on a previous AFP connection, all should be fine.

User avatar
schumaku
Guru
Posts: 43673
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: AFP, Permissions and User Home Folder

Post by schumaku » Wed Jul 06, 2016 3:59 pm

Tazintosh wrote:Ok, to kick the ** out of this, I've "chrooted" my users when they connect to the Mac mini.
Yes - one of the enhancement features we've requested from QNAP a long time ago, too.

Post Reply

Return to “Users' Corner”