Koozali.org: home of the SME Server

ibay permissions question, can anyone help please?

Offline stabilys

  • *
  • 76
  • +0/-0
  • Ah din't do it!!
    • Stabilys Ltd
ibay permissions question, can anyone help please?
« on: March 22, 2019, 04:35:43 PM »
Hi all:

on one SME server we have just realised that somehow, dunno how or when or even by whom, almost all ibays have been changed to the group 'everyone'. This server has been continuously upgraded since v4.

As we now need to restrict access for one remote user in China, putting them in a restricted group with restricted access to ibays does not of course actually restrict access to all other ibays on the server that are set to 'everyone'.

As there are 10 TB of data on the server I am cautious about making access changes without prior advice as propagating such things takes a long time to set and reverse.

Question 1: If we change the ibays to a more restrictive group will this affect the permissions on the files within the ibays?

Question 2: Are there any potential toxic side effects of simply changing the group?

Thanks in anticipation for clues.

MeJ
« Last Edit: March 22, 2019, 11:21:59 PM by stabilys »
This, too, will pass ;)

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: ibay permissions question, can anyone help please?
« Reply #1 on: March 23, 2019, 04:50:57 AM »
'signal-event ibay-modify' (/etc/e-smith/events/actions/ibay-modify) definitely includes code to reset ownership and permissions within ibays based on the ibay settings in the accounts db

Code: [Select]
if ($properties {'UserAccess'} eq 'wr-admin-rd-group')
{
    $::owner = "admin";
    $::fileperm = 0640;
    $::dirperm = 02750;
}
elsif ($properties {'UserAccess'} eq 'wr-group-rd-group')
{
    $::fileperm = 0660;
    $::dirperm = 02770;
}
elsif ($properties {'UserAccess'} eq 'wr-group-rd-everyone')
{
    $::fileperm = 0664;
    $::dirperm = 02775;
}
else
{
    warn("Value of UserAccess bad or unset");
}


It should be possible to tighten the security -- but I, too, would go slowly. 

Decide on a new security configuration then test it on a new or small ibay. 

As long as you save a copy of the db settings for your ibays you can  put them back if you try something that doesn't work. 

'db accounts show' will list the entire accounts db; 'db accounts show ibayname' will show the settings for ibayname.


Offline stabilys

  • *
  • 76
  • +0/-0
  • Ah din't do it!!
    • Stabilys Ltd
Re: ibay permissions question, can anyone help please?
« Reply #2 on: March 23, 2019, 01:34:19 PM »




It should be possible to tighten the security -- but I, too, would go slowly. 

Decide on a new security configuration then test it on a new or small ibay. 

As long as you save a copy of the db settings for your ibays you can  put them back if you try something that doesn't work. 


Thank you mmccarn I will play with this carefully.

MeJ
This, too, will pass ;)

Offline stabilys

  • *
  • 76
  • +0/-0
  • Ah din't do it!!
    • Stabilys Ltd
Re: ibay permissions question, can anyone help please?
« Reply #3 on: April 01, 2019, 11:15:08 AM »
Resolved  8-)

For anyone who has a similar issue: I tested with a test ibay set with the same 'everyone' permissions and copied a few files into it. Changing the ibay group settings does not affect the files in the ibay at f/s level.

It does however change the access from outside the ibay as it of course should. And it's almost instant.

Reverting the group permissions to group/group r/w for the main group consisting of all employees who should have regular access worked as intended.

So if anyone else inadvertently changes ibay access permission to something too loose then reverting it should not be an issue.

No-one will admit having changed the permissions, on this and another server, while most are set up properly, but that's another sort of problem!

Thanks.
This, too, will pass ;)