Unsolved
This post is more than 5 years old
1 Rookie
•
1 Message
0
1522
September 23rd, 2017 07:00
Isilon permissions please help
Hello,
We have an Isilon in our environment that was set up before I got here. We have a SMB share setup for /ifs where the user & groups setting is "everyone is not root with full control". Does this allow any user on the Isilon to be able to see all the folders/files on the Isilon?
Individual folders have specific domain account permissions which control read /write so I don't believe "anyone" can not write to these folders.
Based on this is it safe to say any user can see all folders / files but cannot write to them unless they have specific permissions on the folders /files? Thanks.
0 events found
No Events found!
kbaryeh
5 Posts
0
September 25th, 2017 04:00
We had this problem on a share, but it was accidently set. Run as root pretty much overrides any NTFS permissions that maybe applied on sub directories of the share. So be careful, if set to everyone then anyone within that group can access everything.
crklosterman
450 Posts
0
September 25th, 2017 09:00
Everyone Full Control is pretty common in most enterprises for SMB share Permissions. Indeed as kbaryeh pointed out if Everyone has run-as-root, then that is horrifically bad, and can be a security nightmare. Run-as-root permissions should never be granted to anyone besides perhaps a security administrator, or a service account being used for a data migration.
The /ifs/ share exists by default when a cluster is built. Most customers would usually delete it, or rename it to ifs$ so that it's at least administratively hidden. Anyway permissions if at all possible should be managed only through filesystem permissions (ACLs or POSIX), not through SMB Share ACLs, because it misses the point you're securing protocol access to the data, rather than access to the data itself.
~Chris