We had this problem on a share, but it was accidently set. Run as root pretty much overrides any NTFS permissions that maybe applied on sub directories of the share. So be careful, if set to everyone then anyone within that group can access everything.
Everyone Full Control is pretty common in most enterprises for SMB share Permissions. Indeed as kbaryeh pointed out if Everyone has run-as-root, then that is horrifically bad, and can be a security nightmare. Run-as-root permissions should never be granted to anyone besides perhaps a security administrator, or a service account being used for a data migration.
The /ifs/ share exists by default when a cluster is built. Most customers would usually delete it, or rename it to ifs$ so that it's at least administratively hidden. Anyway permissions if at all possible should be managed only through filesystem permissions (ACLs or POSIX), not through SMB Share ACLs, because it misses the point you're securing protocol access to the data, rather than access to the data itself.
kbaryeh
5 Posts
0
September 25th, 2017 04:00
We had this problem on a share, but it was accidently set. Run as root pretty much overrides any NTFS permissions that maybe applied on sub directories of the share. So be careful, if set to everyone then anyone within that group can access everything.
crklosterman
450 Posts
0
September 25th, 2017 09:00
Everyone Full Control is pretty common in most enterprises for SMB share Permissions. Indeed as kbaryeh pointed out if Everyone has run-as-root, then that is horrifically bad, and can be a security nightmare. Run-as-root permissions should never be granted to anyone besides perhaps a security administrator, or a service account being used for a data migration.
The /ifs/ share exists by default when a cluster is built. Most customers would usually delete it, or rename it to ifs$ so that it's at least administratively hidden. Anyway permissions if at all possible should be managed only through filesystem permissions (ACLs or POSIX), not through SMB Share ACLs, because it misses the point you're securing protocol access to the data, rather than access to the data itself.
~Chris