Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Question: User Securitry

Featured Replies

I was trying to turn on user security today, and I think I just don't quite understand the interaction of unRAID security with Windows security.

 

Before "introducing" unRAID to my family, I need to know how to lock it down.  Most importantly, I want to restrict access to my 12 year old son's login on ONE disk share (disk10).  It contains all the "R" rated movies that I don't want him seeing.  It also contains backups which contain financial data.

 

I reread the manual and did a bunch of forum searches, but can't seem to figure out how this is supposed to work.  Could some kind soul point me in the right direction?

 

I currently have "User shares" disabled, only disk shares are exported (read/write).  I rather not mess with User Shares right now, but will enable them if I can't assign security on a disk share by disk share basis.

 

My Windows userid is "B J P" (notice spaces in the middle).

 

When I turned on user security and tried to attach to a disk share, I got a Windows login prompt, the username was "\\Tower\Guest" - which was grayed out and could not be changed.  I could enter a password - but it would not take an empty password, a single space, or my Windows password.

 

So I tried to create an unRAID account called "Guest" (which it didn't accept because of the capital "G"), so instead created an account called "guest".  Same problem trying to attach to the disk share.

 

I tried to create an unRAID account called "B J P", but it didn't like the caps or the spaces.  So instead, I created a new user in unRAID called "b_j_p", with the password being the same as my Windows password.  And I renamed my Windows account to "b_j_p" to live within unRAIDs user naming standards, and tried to attach to a disk share.  I was hoping it would "recognize me" since my userid and password matched and NOT have to prompt for a password.  No such luck - up came the login to "\\Tower\Guest" prompt.  CRAP!

 

I thought maybe I needed to assign a root password, so I did.  After all, security is pretty thin if anyone can change security.  I started getting login prompts on the management console, but was able to log in as root.  I tried to attach to a disk share again - still got that prompt to login as "\\Tower\Guest".

 

ARG!

 

I disabled user security and all is back to normal.

 

Thanks for any help!

 

- Brian

Hi,

 

I'm a new user so I will try to explain what I will setup over this weekend. I cant' guarantee that it works but I will try the following steps:

 

 

1.) Set root password. Check result on console.

 

 

2.) Enable User-shares. (I know they work as expected, already did a test drive).

 

 

3.) Set disk-shares to "don't export".

 

 

4.) Set flash-share to don't export.

 

 

5.) Create-user shares for "media for anyone", "restricted media", "mom", "dad" and another one for each kid.

 

 

5a.) Set "media for anyone" to:

 

Export mode: Export read-only

Exceptions: dad

 

 

5b.) Set "restricted media" to:

 

Export mode: Export read-only/hidden

Exceptions: dad

Valid users: mom,dad

 

 

5c.) Set "dad" to:

 

Export mode: Export read-only/hidden

Valid users: dad

 

 

5d.) Set "mom" to:

 

Export mode: Export read-only/hidden

Valid users: mom

 

 

5e.) Set "kid1" to (renamed):

 

Export mode: Export read-only/hidden

Valid users: kid1

 

 

5f.) Set "kid2" to (renamed):

 

Export mode: Export read-only/hidden

Valid users: kid2

 

 

6.) On all PCs create user accounts. They don't need to have the names of the unRAID accounts.

 

 

6a.) Dad's PC:

 

Attach drive letter R: to \\Tower\restricted media (use specific name and password of the share)

Attach drive letter Y: to \\Tower\media (...)

Attach drive letter Z: to \\Tower\dad (...)

 

 

6b.) Mom's PC:

 

Attach drive letter R: to \\Tower\restricted media (use specific name and password of the share)

Attach drive letter Y: to \\Tower\media (...)

Attach drive letter Z: to \\Tower\mom (...)

 

 

6c.) Kid1 PC:

 

Attach drive letter Y: to \\Tower\media (...)

Attach drive letter Z: to \\Tower\kid1 (...)

 

 

6d.) Kid2 PC:

 

Attach drive letter Y: to \\Tower\media (...)

Attach drive letter Z: to \\Tower\kid2 (...)

 

 

There are still two problems left.

 

a.) The access to the managment console with "//Tower" is still possible for anyone in the network. I will filter that in my router so that I can switch that on/off. The access to the router is restricted to me ;-)

 

b.) The family PC (HTPC) with Media Portal on top. Can I install and configure MediaPortal for every user? Hmm, if not what account should I use. If I want to see restricted media I need to attach the drives here. I can give Pin-Codes to drives within Media Portal. But wait, if the kids close MediaPortal they can access the share directly. It seems that this is the only problem left. If you don't have a family PC the problem doesn't fit here ...

 

Does this sound reasonable? I will start tomorrow ...

 

Regards

Harald

 

<snip>

There are still two problems left.

 

a.) The access to the managment console with "//Tower" is still possible for anyone in the network. I will filter that in my router so that I can switch that on/off. The access to the router is restricted to me ;-)

<snip>

 

You can also configure the management console to use a non-standard port.

In the "go" script change the following line:

 

/usr/local/sbin/emhttp &

to be

 

/usr/local/sbin/emhttp -p 8080 &

 

Now, when you reboot the unRaid server, its management page will be on port 8080 instead of 80 (the default used by your web-browsers)

The URL to get to it would then be //tower:8080/main.htm  You can use most any un-used port if 8080 is not a good one for you.

 

Granted, the management console will not be more secure, but less likely for your kids to stumble across, especially if you can block the non-standard port on your router.  Think of it as "security through obscurity."

 

Joe L.

You can also configure the management console to use a non-standard port. In the "go" script change the following line:

 

/usr/local/sbin/emhttp &

 

to be

 

/usr/local/sbin/emhttp -p 8080 &

 

 

Ah, I see. Cool!

 

Thanks.

Harald

 

Granted, the management console will not be more secure, but less likely for your kids to stumble across, especially if you can block the non-standard port on your router.  Think of it as "security through obscurity."

 

BTW, is it possible to move the starting page (e.g. index.html) to something like "xyzblablub.html"? This would give 5% more security as well.

 

Regards

Harald

 

  • Author

Thanks!

 

My array is currently offline with a hardware problem.  Once I get things fixed, I'll try and follow through these directions.

 

- Brian

Granted, the management console will not be more secure, but less likely for your kids to stumble across, especially if you can block the non-standard port on your router.  Think of it as "security through obscurity."

 

BTW, is it possible to move the starting page (e.g. index.html) to something like "xyzblablub.html"? This would give 5% more security as well.

 

Regards

Harald

 

 

Perhaps BASIC AUTHENTICATION should be used so the web server is inaccessible without the proper user name and password.

that is the proper thing to do - login for the config page

 

 

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.