Join Log in
Score:0
evild4ve avatar Ubuntu

Does Ubuntu offer any client-side methods of limiting access to a server?

us flag
evild4ve

I have a home-media fileserver, to which I have connected a new user on Ubuntu 20.04 (via Samba). The file-server is a micro-PC doing the job of a NAS.

The new user is aged 9 and would like read permissions to a couple of folders of kids' videos, her own files, etc. I could just make her a local copy of them, but it would be nicer to find some way of limiting the access from the guest-side rather than on the server.

I'm interested in leaving the user with root permissions to the samba share but apparently-limiting it some other way in the UI

  1. Is there an intentionally-hamstrung / read-only filemanager I can install that doesn't have any ability to delete or change files? Or which can use an internal allowed or disallowed lists of folder locations, without reference to the user's permissions?

  2. Is it (likely to be) possible to remove the -rm and -mv commands from Thunar's capabilities? e.g. custom actions could be used to disable the 'delete' key (and it isn't in the menus) but there is still the ability to navigate around on the fileserver. In this case the "parent" directory literally is the parent's directory

  3. Is there any parental controls-type utility that can restrict File Managers as well as, or instead of, Internet access?

  4. As an alternative to 1. this is only for playing media, so is there any client-only "Video Jukebox" application that can't move/rename/delete?

  5. Also as an alternative to 1. I could potentially set up a media server application on the fileserver, round the side of Samba - but this doesn't seem like it would be simple with the packages available to Puppy Linux

===

People often say "children find ways round these things", but this involves a bunch of assumptions about ability levels - remember my workaround is to make a local copy

thanks xx Catty

45
1 + 4
Organic Marble avatar
us flag
Organic Marble
‘I'm interested in leaving the user with root permissions to the samba share but apparently-limiting it some other way in the UI" this seems like the hardest possible way to do this. Why not manage permissions and access on the server.
0
Reply
evild4ve avatar
us flag
evild4ve
@OrganicMarble, hi thanks for replying - the disk mounted inside the server is ntfs but hasn't had any users or permissions set on its files from within Windows, so from what I've read that's pretty hard. I'm looking at the moment at Samba permissions, as the other layer of security between the server's filesystem and the user on the client PC, but I wondered if there were any other options -on- the client PC.
0
Reply
Organic Marble avatar
us flag
Organic Marble
Ah, thanks, that does complicate things.
0
Reply
evild4ve avatar
us flag
evild4ve
@evild4ve, I've reduced this to an issue with Samba permissions. A problem I have is that the child-user needs to be on Samba's "read list = " to a shared subfolder but not the shared folder above which the subfolder is located in. I'll find another forum to ask that but still need a client-side restriction within Ubuntu if possible.
0
Reply
Score:0
evild4ve avatar Ubuntu
us flag
evild4ve

I've found a solution using Samba permissions, but would still like to know if there are any client-side approaches. (I've never heard of any, but who knows).

In my situation where there is an existing+working NAS-like fileserver sharing an external NTFS filesystem, where no user permissions have ever been set from within Windows, running a Samba Server, and an Ubuntu client PC with a grown-up user ("adultname") and a child user ("childname")...

  • The Samba NAS-box needs the capability to add the child's Ubuntu username as a user. E.g. via 'adduser childname'

  • the child's username is added to the server, but can't (easily) be used to set any acl/Linux file permissions on an NTFS disk, I just needed it to be there for Samba

  • On the server once the user has been created, they must be added to Samba and also enabled on Samba. The commands for this were 'smbpasswd -a childname' and then 'smbpasswd -e childname'.

  • so long as they worked okay before adding the child user (there are lots of guides), the /etc/fstab line the server uses to mount its HDD are not so important and can be left the same

  • the /etc/fstab line the client uses to mount the Samba share are also not so important, there is no need to add new settings for acl, or fmask= and dmask=, or file_mode= and folder_mode=, or for any additional credentials file to be created

  • there is no need to try and create a user mapping file to enable acl/POSIX file permissions on the ntfs disk (this might be possible as an approach)

  • in their respective etc/fstab files the server can use ntfs as the filetype but the client must use cifs if it is to automount

  • on the shared HDD it is best not to keep the child user's folder inside the adult user's folder, or for the adult's folder to be the root of the drive (in my case I couldn't easily avoid these things)

  • the simple kind of permissions needed for adding a child user with no write access and limited read access can be managed inside Samba by editing smb.conf

  • in smb.conf the global settings needed to have this line added:-

    browseable = no

  • in smb.conf the entry for the adult user's share needed to have these lines added:-

    read list = root adultsname childsname

    write list = root adultsname

  • in the above, although it is counterintuitive, the child's username must be on the read list of the adult's samba share, since their folder is inside it and the permissions don't simply "traverse" to let them read their share without also being able to read the folder above

  • setting browseable = no isn't secure like removing the acl/POSIX file permissions from that user for those files, but in this case it's good enough

  • in smb.conf, the entry for the child user's share needed to have these lines added:-

    read list = root adultsname childsname

    write list = root adultsname

  • in my case the above changes didn't affect local Windows PCs accessing the shares

Other approaches might have been to make local copies of all the files for the child user, or to reformat the shared hdd as ext4 and organize the folder layout differently - but I found this way preferable, it does what I wanted, and it's using Samba's access control short of acl

If I have made any errors I would be grateful to know. If there is a simpler way of limiting a user within the Ubuntu UI that would be useful too (as it can't hurt to add such things on top if they are there).

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.