This post is more than 5 years old
8 Posts
1
9011
Access Based Enumeration on Isilon SMB Shares
Hello all, I'm hoping someone can assist me with this...
I'm installing an Isilon Cluster for a client:
- They're not using AD or a File Provider, or anything like that.
- I've created Users in OneFS and placed them in Groups and allowed all groups full access to a specific share.
I'm seeing 3 separate commands to enable Access Based Enumeration in the Command Reference Guide:
- isi smb settings global modify --access-based-share-enum
- isi smb settings shares modify --access-based-enumeration
- isi smb shares modify --access-based-enumeration
It's quite confusing so I just enabled all three in the order above. I'm not sure where to go from here - I've tried using chmod on a group to give access to specific folders within the share but the users in the group are still able to see, read and write to all of the folders. What I want is for someone to be able to mount the share in Windows, but just see and access folders I've specified.
Would really appreciate some help with this, please and thanks!
- Cyrus
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
October 6th, 2014 10:00
I've attempted to replicate your scenario on OneFS 7.1.0.
cluster-1# isi auth groups create abe_group
cluster-1# isi auth users create user1 --primary-group abe_group --password pass --enabled yes
cluster-1# isi auth users create user2 --primary-group abe_group --password pass --enabled yes
cluster-1# isi smb shares create abe /ifs/abe1 --create-path --access-based-enumeration yes
cluster-1# isi smb shares permission create abe --group abe_group --permission-type allow --permission full
cluster-1# mkdir /ifs/abe1/dir1
cluster-1# mkdir /ifs/abe1/dir2
cluster-1# mkdir /ifs/abe1/dir3
cluster-1# mkdir /ifs/abe1/root_dir
cluster-1# ls -lah /ifs/abe1
total 21
drwxr-xr-x 5 root wheel 70B Oct 6 09:35 .
drwxrwxrwx 7 root wheel 228B Oct 6 09:33 ..
drwxr-xr-x 2 root wheel 0B Oct 6 09:35 dir1
drwxr-xr-x 2 root wheel 0B Oct 6 09:35 dir2
drwxr-xr-x 2 root wheel 0B Oct 6 09:35 dir3
drwxr-xr-x 2 root wheel 0B Oct 6 09:35 root_dir
By default all of these directories are world readable, so at this point, if either user1 or user2 mounts the abe share, they will see all directories.
I have abe mounted as Z: (with user1) on my windows client.
C:\Documents and Settings\Administrator>dir Z:\
Volume in drive Z is abe
Volume Serial Number is 009A-9A03
Directory of Z:\
10/06/2014 09:35 AM
10/06/2014 09:33 AM
10/06/2014 09:35 AM
10/06/2014 09:35 AM
10/06/2014 09:35 AM
10/06/2014 09:35 AM
0 File(s) 0 bytes
5 Dir(s) 5,928,591,360 bytes free
Now I will set the permissions from the isilon cluster command line so that dir1 will be visible to user1, dir2 will be visible to user2, dir3 will be visible to any member of abe_group, and root_dir will be visible only to root.
cluster-1# chmod 750 /ifs/abe1/*
cluster-1# chown user1 /ifs/abe1/dir1
cluster-1# chown user2 /ifs/abe1/dir2
cluster-1# chgrp abe_group /ifs/abe1/dir3
cluster-1# ls -lah /ifs/abe1
total 22
drwxr-xr-x 6 root wheel 92B Oct 6 09:41 .
drwxrwxrwx 7 root wheel 228B Oct 6 09:33 ..
drwxr-x--- 2 user1 wheel 0B Oct 6 09:35 dir1
drwxr-x--- 2 user2 wheel 0B Oct 6 09:35 dir2
drwxr-x--- 2 root abe_group 0B Oct 6 09:35 dir3
drwxr-x--- 2 root wheel 0B Oct 6 09:35 root_dir
Now from windows:
Mounted with user1:
C:\Documents and Settings\Administrator>dir Z:\
Volume in drive Z is abe
Volume Serial Number is 009A-9A03
Directory of Z:\
10/06/2014 09:41 AM
10/06/2014 09:33 AM
10/06/2014 09:35 AM
10/06/2014 09:35 AM
0 File(s) 0 bytes
4 Dir(s) 5,930,614,784 bytes free
Mounted with user2:
C:\Documents and Settings\Administrator>dir Z:\
Volume in drive Z is abe
Volume Serial Number is 009A-9A03
Directory of Z:\
10/06/2014 09:41 AM
10/06/2014 09:33 AM
10/06/2014 09:35 AM
10/06/2014 09:35 AM
0 File(s) 0 bytes
4 Dir(s) 5,930,614,784 bytes free
Mounted with root:
C:\Documents and Settings\Administrator>dir Z:\
Volume in drive Z is abe
Volume Serial Number is 009A-9A03
Directory of Z:\
10/06/2014 09:41 AM
10/06/2014 09:33 AM
10/06/2014 09:35 AM
10/06/2014 09:35 AM
10/06/2014 09:35 AM
10/06/2014 09:35 AM
0 File(s) 0 bytes
6 Dir(s) 5,930,614,784 bytes free
From this example, it is possible to set access based enumeration without setting windows ACLs.
You can also revoke group permissions for a particular directory, for example:
cluster-1# mkdir /ifs/abe1/dir4
cluster-1# chgrp abe_group /ifs/abe1/dir4
cluster-1# chmod 705 /ifs/abe1/dir4
In this case, permission is specifically revoked from abe_group, so dir4 will not appear in directory listings for users in abe_group (even though it is world readable).
An explanation of the three settings:
isi smb settings global modify --access-based-share-enum
This setting controls enumeration of shares on the cluster. If this setting is on and the user is enumerating shares either through MMC or via Explorer, they will see only shares that they have permission to map (permissions set via isi smb shares permissions ...)
isi smb settings shares modify --access-based-enumeration
This setting controls the default value for access-based-enumeration on shares. If a share does not explicitly set access-based-enumeration, it uses the default set here.
isi smb shares modify --access-based-enumeration
This setting controls whether files and folders within the share are visible to users that don't have permission to at least read them. If this setting is on and the user enumerating a directory doesn't have at least read permission on a child entry, that entry is not returned in the directory listing.
Hopefully this helps explain the feature a bit more.
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
October 3rd, 2014 13:00
Did you set windows ACLs ?
cyrushira
8 Posts
0
October 3rd, 2014 13:00
No I haven't. How would I do that (sorry I'm a bit ignorant when it comes to this kind of stuff).
sanadministrato
6 Posts
0
October 3rd, 2014 14:00
Has the group who are able to see all files and write to it have root permissions on the share?
Sent from my iPhone
cyrushira
8 Posts
0
October 3rd, 2014 14:00
No, none of the groups I've added to the share have root permissions. But, they do have full access.
I guess that wouldn't matter if ABE is setto global because it would hide all of the folders in the share until I provide access to them, correct?
cyrushira
8 Posts
0
October 6th, 2014 10:00
Thanks so much for the detailed explanation masenf! I'll give this a try.
What would be the result if I accessed these shares via smb from an NFS client (OSX)? Would the POSIX bits then mimic the ACL?
cyrushira
8 Posts
0
October 6th, 2014 11:00
Understood. I'll see what the result is on my end. Thanks again.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
1
October 6th, 2014 11:00
I'm not sure I fully understand the question, but I'll take a stab.
I just mounted my test share via smb from OS X 10.7 and 10.9. The result was that Access Based Enumeration worked and permissions were enforced. However, when listing the permissions on the file, everything appeared to be 700 and owned by the local user on the Mac. This makes it pretty hard to determine what the actual permission bits are. It also could be frustrating because a directory where the user only has read permission appears to the OS X client that the local user has full permission. However, if the user attempts to modify said directory in any way, they will get a Permission Denied error. This may or may not be workable in your situation.
We currently have an open issue in our bug tracker for improving how the SMB permissions appear to OS X clients, but I unfortunately don't have a time frame for the resolution of that issue.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
October 7th, 2014 12:00
To have multiple groups per object, you'll need to use a full ACL as opposed to just posix permissions.
See the information in man chmod under the ACL MANIPULATION OPTIONS heading for the full details, but here are some useful example commands.
Allow full access to group abe_group2 to dir5
chmod +a group abe_group2 allow generic_read,generic_write,generic_exec /ifs/abe1/dir5
Allow read access to group abe_group to dir6
chmod +a group abe_group allow generic_read /ifs/abe1/dir6
Deny a specific user to dir6
chmod +a user user1 deny generic_all /ifs/abe1/dir6
You have to be a bit careful about the ordering of ACEs in your ACLs. The rules are processed in order and stop processing when there is a match. Therefore, if user1 if a member of abe_group, and user1 should be denied access to dir6 while other users in abe_group should have access, it is important that the deny user1 rule appears first in the ACL. Otherwise, user1 would be allowed by virtue of first matching the allow ACE for abe_group.
You can view the ordering of the ACL rules with
ls -lde /ifs/abe1/dir6
The man page for chmod lists a lot more information about inserting ACEs in specific places, as well as other options. I'd recommend checking it out.
-Masen
cyrushira
8 Posts
0
October 7th, 2014 12:00
I figured that would be the case. Thanks for the quick response. Much appreciated.
- Cyrus
cyrushira
8 Posts
0
October 7th, 2014 12:00
Hi masenf,
chgrp and chown are change commands - What if I have multiple groups that would need to see the same folders within the share?
For example, doing chgrp /ifs/abe1/dir4 for each group would just continue to overwrite the previous setting? Have I missed something?