ZFS ACL: user can create files but not read?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
B

blandoon

New Member
Aug 6, 2015
9
3
3
Eugene, OR USA
I am trying to setup a SMB share (in napp-it registered version) to make available in Owncloud, so that a user can create files, but cannot read other files in that share/folder. This is to allow users to login to Owncloud with a generic account and upload files, but not download files that others have uploaded (using the same credentials). Basically, I want to avoid having to provision a new account for every single person that submits a file to this folder, because it will be a lot of people, and they'll most likely be doing it once and then never again.

What ACL can I set to allow this? So far, everything that allows Owncloud to read the share also allows users to read all files.
 
K

Kybber

Active Member
May 27, 2016
138
43
28
48
Bear in mind I have no experience with neither napp-ip nor Owncloud, but here's a thought for an alternative solution: It seems that it should be possible to create a post-create script (hook) which changes owner and/or read permissions for a file that was just uploaded. You could probably even move the file to another location if that would be preferable: Hooks — ownCloud Developer Manual 9.0 documentation
 
B

blandoon

New Member
Aug 6, 2015
9
3
3
Eugene, OR USA
Kybber said:
Bear in mind I have no experience with neither napp-ip nor Owncloud, but here's a thought for an alternative solution: It seems that it should be possible to create a post-create script (hook) which changes owner and/or read permissions for a file that was just uploaded. You could probably even move the file to another location if that would be preferable: Hooks — ownCloud Developer Manual 9.0 documentation
Click to expand...
Thanks, I looked at that, but it appears to be something that you would add to an Owncloud app, which would require developing a whole new one... you're right that there may be another solution outside Owncloud and/or ZFS, but so far all I have found are things that get me about halfway there.
 
G

gea

Well-Known Member
Dec 31, 2010
3,156
1,195
113
DE
If all user login with the same generic account you cannot restrict access based on ACL or permissions for some of them. This will only work if every user login with a different account. Then you can set ACL based on users.
 
B

blandoon

New Member
Aug 6, 2015
9
3
3
Eugene, OR USA
gea said:
If all user login with the same generic account you cannot restrict access based on ACL or permissions for some of them. This will only work if every user login with a different account. Then you can set ACL based on users.
Click to expand...
Definitely true - what I was hoping for was to just give the generic account minimal rights, and only grant more rights to others who login with their own credentials (different Owncloud login, with a different user account to access the external storage). For example, I tried just granting the "create-files" set to the generic account, but Owncloud won't open the share with that level of permissions.

If ACLs aren't the answer, I'm thinking it might be better to do as Kybber suggested and just move the files to another location post-upload, I'm just not sure how yet.
 
G

gea

Well-Known Member
Dec 31, 2010
3,156
1,195
113
DE
An acl on a folder like allow everyone to create files is like a dropbox. Everyone can throw in a file, nobody beside root can read.

The person who created a file is owner with full access (with aclinherit=pass-through) or owner is inherited from parent folder with aclinherit=discard with some more inheritance options.

You can then add more user or group permissions on a file or folder with different inheritance options. So you can use ACL for a lot of use cases. You must decide if this is an option or if there are other methods that are easier to handle.
 
B

blandoon

New Member
Aug 6, 2015
9
3
3
Eugene, OR USA
gea said:
An acl on a folder like allow everyone to create files is like a dropbox. Everyone can throw in a file, nobody beside root can read.

The person who created a file is owner with full access (with aclinherit=pass-through) or owner is inherited from parent folder with aclinherit=discard with some more inheritance options.

You can then add more user or group permissions on a file or folder with different inheritance options. So you can use ACL for a lot of use cases. You must decide if this is an option or if there are other methods that are easier to handle.
Click to expand...
Agreed - after playing with it some more, I think the main limitation is that Owncloud won't play nice with an external storage share where it doesn't have access to read everything. Which means the other solution (moving files or changing rights post-creation) will have to do.

Thanks for the help on this regardless.
 
You must log in or register to reply here.
Top Bottom