Permissions

[Barry]

First let me complement the unRAID developers.  Many smart decisions were made architecting this product and I think the result is exceptional.  I tried several other solutions before unRAID.  So far unRAID just works!

 

I am using unRAID for my small business server.  I realize more users use unRAID for personal media, but I think there are great advantages for businesses.  I installed an OPNSense VM firewall with pass through network ports, and a few other VMs for specific tools.  It all works together brilliantly on a refurbished Cisco 1U server.

 

It seems to me permissions is a significant weakness of unRAID in business applications.  I would like to give people just the permissions they need to do their jobs.  Sharing the root password with several employees is not ideal.  Keeping the root password to myself means I need to do all the unRAID and VM configuration and maintenance myself, also not ideal.  

 

It would sure be handy to have group level share permissions so you could assign employees to groups with established permissions rather than trying to properly configure permissions for each individual employee.  

 

Are there any granular server permissions or group share permission features available from the unRAID command line?

 

Segregating and managing permissions is one of the key requirements of the new NIST standards for business cyber security.  I think many small business will be looking for systems that help them improve their information security.

 

Thanks 

[Frank1940]

Have you played with unRAID?  The reason I ask is that the user  root  does not have access of any type of user share or disk share.  That is strictly forbidden for security reasons! 

 

I have done a bit of playing around with SMB security settings for both user shares and disk shares and there seems to be considerable flexibility with setting up the share so that you can restrict exactly how any user has access to any share --   no-access, read-only, and read-write.  You can even 'hide' a share so that you have to know its share-name to be able to even attempt to connect to it. 

 

What you don't have at this point is user-groups which you can assign a user and he inherits all of the permissions of associated with that group.   (As I looked at my client Windows 7 shares there seems to be some provision for creating something like this but it looks complicated enough that I didn't want to take a chance in experimenting around and really screw things up. Perhaps, it is simple but I rather doubt it from my experience with MS Networking over the past twenty years.) 

 

I think you should outline what you would like to have with enough details to give a clear picture of how you see it working from the user/administrator standpoint.  Then request that the moderators move this thread to the "Feature Request" sub-forum. 

[Barry]

I didn't clearly separate my two permission related issues.

 

The first issue is the single root user permission.  This setup leaves me with two choices:

1. Keep the root password to myself which means I have to do all the system maintenance operations myself.  I really need to delegate some of these operations like VM management.

2. Share the root password which enables others to control every aspect of the server.  This seems the opposite of security.

 

I really think a 3rd option where individual server admin functions could be delegated to separate users with a few key operations reserved for the root user.

 

The other completely separate permission issue is user groups to enable access based on pre-configured group permissions.  The more I think about this, the more I suspect this could be achieved with simple script that applies permissions to share users using the existing share permission structure.

 

That leaves me with the first issue.  Are there any ways right now to divide administration privileges?