Setting Shared Folder perms. Where are system umask and smb share perms kept?

Currently reading
Setting Shared Folder perms. Where are system umask and smb share perms kept?

A minor annoyance I've had ever since adopting Synologys over a decade ago. Now with the latest purchase, it's p!$$ed me off sufficiently to do something about it. Hoping the knowledge here can assist please.

One of our primary uses for the NAS is essentially as a file server/network drive. All MAC clients connecting SMB to the various file shares for read and write. However, permissions have always been a bit of a challenge, so more often than not, when the wife or kids complain <x> can't see/find/write to <abc> file/directory, I just ssh in and fix it. But I'm over that, so I want to fix it permanently.

I've set up various groups for differing family members' access such that only <x> group can see/write to <y> Shared Folder. And I've set that as much as possible in the fileshare/user/group/ perms in DSM. But what I want to achieve is not 'individual' file/directory ownership. I want to have all files in a given Shared Folder, on creation, owned by my chosen named user with the group I want associated with that specific Shared Folder, and I want all directories in there to have 770 with all files 660.

In my thinking, in this way, I have a single account owning the files, and everyone in the group can see/do what they want/need, with 'others' excluded. e.g. under 'family' shared folder, I would have:

Code:
drwxrwx---+ 1 svc_accnt  family       88 Jun  4 20:36 BACKUP-DO-NOT-DELETE
drwxrwx---+ 1 svc_accnt  family     4880 Jun  4 20:36 Recipes
drwxrwx---+ 1 svc_accnt  family    21112 Jun  4 20:36 Warranties

So, what's the best way to achieve this please? My thinking as follows. If you have better ideas/solutions, I'm all ears.

1. Change the umask to 007.
So, how/where can I change the umask in Synology? And is it the same format as any other *nix distro, e.g. 'umask 007'?

2. Many years ago, I used samba's specific share confs to achieve my ownership goals for default user:group ownership, presumably I can still do that.
So, how/where can I set perm settings for samba that will survive both reboot and upgrade?

3. Or is there a better way? e.g. set ownership of the Shared Folder home to my desired group, and then set the GUID on the Shared Folder home.
This would achieve my group ownership, but still leaves the default file ownership up in the air.

Your thoughts and advice appreciated.
 
Forgive me for not addressing any of your points, but I feel there is another important constraint that you need to put into consideration: Syno ACLs. Afaik, all permissions you grant in the UI are Syno ACL permissions.

If the Syno ACLs allow access, the Unix file permissions are ignored. Unix file permissions are only enforced, when Syno ACLs are disabled for that particular path (and all the files and subfolders in it). I am not sure if the UI actually allows to disable Syno ACLs, though it can be done from the cli (I am quite sure I posted the commands somewhere in the docker category).
 
Upvote 0
Forgive me for not addressing any of your points, but I feel there is another important constraint that you need to put into consideration: Syno ACLs. Afaik, all permissions you grant in the UI are Syno ACL permissions.

If the Syno ACLs allow access, the Unix file permissions are ignored. Unix file permissions are only enforced, when Syno ACLs are disabled for that particular path (and all the files and subfolders in it). I am not sure if the UI actually allows to disable Syno ACLs, though it can be done from the cli (I am quite sure I posted the commands somewhere in the docker category).
Thanks the response.

soooo ........ to be clear, are you saying that even though I'm connecting to the Shared Folders directly over SMB (and NOT using DSM - at least not directly, e.g. via File Station) using MAC's Finder, you think the Syno ACLs take precedence?

It would be good to know how they're configured/where they're stored (from a 'conf' file perspective) to see what can be changed/permanently set via cli. I'll take a look through the Docker forum, but if you happen upon them also, would be grateful.

P.S. Do you remember how long ago that post was?
 
Upvote 0
I shouldn't make any difference whether access happens over smb, nfs or locally from the shell. From what I understand SynoACL is hooked into the file system calls. All the access ways above just use those system calls. Only containers "missbehave", as they can not access the filesystem in a way that SynoACL requires - that's why I disable SynoACL for folders only to be accessed from containers.

As far as I know the ACLs are stored as extended attributes in the file system itself, attached to folders/files directly.

This is the topic I meant: Stymied with Fireshare
Make sure to read the whole topic before applying anything discussed in it.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Thanks again. Not sure how I missed this. Some of his clips I’ve watched 2 & 3 times. I’ll check this out...
Replies
4
Views
732
I have shared a file which can be downloaded by friends. I was checking the Log Center to see if the file...
Replies
0
Views
579
Try deleting one of those "missing" folders, then recreate it (are you able to delete it?).
Replies
3
Views
1,446
  • Solved
Thank you Actually the reason of this query is for VIPs When VIPs received the link they want a less...
Replies
4
Views
2,507
It's amazing how many tricky concurrency issues in multi-threaded programming get fixed with a...
Replies
12
Views
5,325
Deleted member 5784
D
It does. That's what the web UI of Drive looks like using a web browser.
Replies
3
Views
1,400
If you haven't got the encryption key then you won't be able to decrypt the shared folder. If it was...
Replies
1
Views
3,609

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top