ClearOS Feature Request
File Access Control Lists facl ACL mod_facl in ProFTP
I'm using File Access Control List for extended permissions in ClearOS 7. CO does not specifically support this from the GUI but it does not prohibit it either. the getfacl and setfacl commands work from the shell and the same thing can be accomplished from Windows with a right click on the file or folder.
I've got a 2nd group of users to access a share by manually tweaking the flexshare.config settings so that I can give individual users specific access to specific folders. It's a very good thing to be able to do. This can be accomplished from the WebGUI in FreeNAS. The folders the user has no access to simply don't show up for them.
However FTP does not seem to respect the FACL settings. Instead it won't allow any from the guest group to see the contents. A line in /etc/proftp.d/flex-21.conf partially solves the problem;
But then all the directories are visible including the ones the user gets blocked from.
I have determined that it's not using FACL and simply going on basic Linux permissions like the rest of ClearOS.
I don't know if I'm missing an obvious thing I'm supposed to install such as Active Directory or if this is a feature request or simply help with a workaround.
How do I get mod_facl into ClearOS Proftp?
I do think ClearOS would be better if it could do FACL properly.
I've got a 2nd group of users to access a share by manually tweaking the flexshare.config settings so that I can give individual users specific access to specific folders. It's a very good thing to be able to do. This can be accomplished from the WebGUI in FreeNAS. The folders the user has no access to simply don't show up for them.
However FTP does not seem to respect the FACL settings. Instead it won't allow any from the guest group to see the contents. A line in /etc/proftp.d/flex-21.conf partially solves the problem;
HideNoAccess off
But then all the directories are visible including the ones the user gets blocked from.
I have determined that it's not using FACL and simply going on basic Linux permissions like the rest of ClearOS.
I don't know if I'm missing an obvious thing I'm supposed to install such as Active Directory or if this is a feature request or simply help with a workaround.
How do I get mod_facl into ClearOS Proftp?
I do think ClearOS would be better if it could do FACL properly.
Share this post:
Responses (3)
-
Accepted Answer
From http://www.proftpd.org/docs/modules/mod_facl.html it tells you how to build ProFTPd with facl support. Looking at the EPEL sources (we use their package), it looks like they build with:
This looks slightly different but may be functionally the same. I have no idea. So there may be facl support built in. Again looking at the docs there is a parameter "FACLEngine on|off" which defaults to on so should not be needed (and does not appear in proftpd.conf or /etc/proftpd.d/*.conf).--enable-facl --with-shared=mod_facl:........
Longer term, for shares, I think that setting facl's in ClearOS should be avoided and it should be done in Windows instead. If we end up with ClearOS as an AD/DC then ACL's in samba will use a VFS module when set by WIndows, but possibly not when set using setfacl. However that is for the longer term and not now. -
Accepted Answer
Hello Nick,
I should inspect the logs (I hate doing that) but from ProFTP's behaviour it's ignoring FACL.
makes directories vanish from my user who can see them from Windows.HideNoAccess ON
I don't yet know how to build ProFTP inside ClearOS but it sounds like I need to do that. Then perhaps it will respect FACL settings.
Longer term I do think ClearOS should be more aware of FACL even if it does not directly set it, let the Windows user do that. The thing I did was remove
from flexshares.conf for SAMBA;valid users =
smb.conf
# ACL
vfs objects = acl_xattr
map acl inherit = yes
access based share enum = yes
flexshare.config
# valid users = @"%D\staff", @"staff"
veto files = /.flexshare*/
nsf4:chown = true
nsf4:acedup = merge
access based share enum = yes
ea support = true
hide unreadable =yes
hide unwriteable files = no
Those changes allowed me user level file access control from Windows.
Not a huge thing to add into the GUI
Thanks. -
Accepted Answer
Wayland Sothcott wrote:
I don't yet know how to build ProFTP inside ClearOS but it sounds like I need to do that. Then perhaps it will respect FACL settings.
I am not so sure. I think the EPEL version is building correctly. Perhaps similar to flexshares, it has something to do with the "AllowGroup" setting in /etc/proftpd.d/flex-21.conf and /etc/proftpd.d/flex-990.conf
Probably bigger than you think as flexshare configs get stored in a non-standard way in /etc/clearos/flexshare.conf. They also impact FTP (as you've seen) and Websites.
Not a huge thing to add into the GUI
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »