Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

How can administrators login to user accounts

As an Amazon Associate, we may earn commissions from qualifying purchases. Learn more...

I have given very limited user accounts with mediocre passwords to a couple friends. Occasionally I login as them to make sure they only have access to the few apps and folders that I intend to share with those accounts. A few times I found some new apps/folders were visible to them by default so I promptly restricted their access.

I want to ask them to harden their passwords but how could I continue to login to those accounts to verify for unwanted permissions if I don't know their new password. A GUI version of "su - user" if you will. These accounts don't have command-line/ssh access so su is not an option.

Thanks for any tips.
 
Solution
Unless you know the password then you can't, or at least I hope you can't because that would mean a serious vulnerability in DSM security for everyone.

I would ensure you apply password strength rules, and even enable two factor authentication: force password change on next login. Why? Because you'll limit any security risk to those vulnerabilities that apply to non-authenticated user access.Instead of logging into your users' accounts, why not create a test account that has the same rights as your users?

I would consider creating a specific Group and adding users to this. Then don't give user accounts individual access but instead apply the access control to the group. I would also periodically check the default permissions, to be...
Unless you know the password then you can't, or at least I hope you can't because that would mean a serious vulnerability in DSM security for everyone.

I would ensure you apply password strength rules, and even enable two factor authentication: force password change on next login. Why? Because you'll limit any security risk to those vulnerabilities that apply to non-authenticated user access.Instead of logging into your users' accounts, why not create a test account that has the same rights as your users?

I would consider creating a specific Group and adding users to this. Then don't give user accounts individual access but instead apply the access control to the group. I would also periodically check the default permissions, to be certain nothing new as assumed to allow all.
 
Upvote 0
Solution
I like the "create a test account that has the same rights as your users" idea. Thanks!

The "su - [user]" command allows the root user to experience an environment similar to a real login as "user" at the command-line so why would a GUI equivalent be so bad?
 
Upvote 0
The "su - [user]" command allows the root user to experience an environment similar to a real login as "user" at the command-line so why would a GUI equivalent be so bad?
What I said was that it isn't possible without the user's password; I didn't say having a feature added that could enable a DSM-logged in administrator user to masquerade as another user was necessarily bad. How a web session would work is another matter, it uses authentication and a new / modified mechanism would be required. Rather I could see a session as the administrator but enabling a feature that either starts an new bowser tab/window or even in the current window that applys portal parameters (read-only?) of a particular user. It sounds like a lot of effort to implement this and not introduce a slew of new bugs, or vulnerabilities.

Using a new group to collect these user accounts is an easy way to ensure consistent permissions are applied. I use this to grant access for family accounts, also to ensure only those that need VPN access have it. You can have user accounts in multiple groups, then check the combined permissions are what you expect.
 
Upvote 0
Ya I see why a GUI "su" command doesn't exist and probably never will.

I do like your "creating a specific Group and adding users to this" idea too but since everything has been working so well for quite a while, I'm in the if it ain't broke don't fix it camp. I should have done it this way from the start...

I have plenty of *nix experience but newish to synology DSM.
 
Upvote 0
Creating a group is super easy, as is assigning them to that group. Once and done, transparent on the user side. Obviously you have to know what permissions you want them to have. Just create the group, enter the desired permissions, go to those users and assign them to that group. Even if you're super slow, assuming you know the permissions you want them to have, 30-min tops, and hour with super extra-careful reading. If you're comfortable, 5- to 10-min.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Popular tags from this forum

Similar threads

appreciate the link. there is a boatload of logs to check & in the end it didn't matter. i have no idea...
Replies
3
Views
625
The guiding principle, from a security perspective is to only give the user account access to what...
Replies
3
Views
73
Wow thank you. I ran the change ACLs and everything seems to be working. Never would have found that...
Replies
2
Views
508
  • Solved
I appreciate the feedback with a backup plan. But, still it would be good understand what the actual...
Replies
13
Views
1,031
If your model supports it, try virtual machine manager and install an instance of vdsm. You can do any...
Replies
12
Views
1,540

Thread Tags

Tags Tags

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending content in this forum

Back
Top