IN THIS ARTICLE
Outlines the default File Permissions for File Shares created via the Qumulo Web User Interface including:
- NFS
- SMB (NTFS)
- Modify ACL
- Qumulo SMB Root Share
- Read ACL
- SMB user logged in as Guest
REQUIREMENTS
- Cluster running Qumulo Core
- Created File Shares via the Qumulo Core Web UI
DETAILS
NFS
-
The default permissions for the NFS root directory are rwxrwxrwx (0777)
-
The NFS root directory is owned by root (UID 0) and group “nfsnobody”
-
All users will be able to create files and directories in the current directory.
-
All users will be able to delete files and directories in the current directory, including those owned by root.
-
Users other than root will not be able to chmod or chown files and directories not owned by their UID. (This assumes that root is not being mapped to another user in the Qumulo NFS share settings)
-
Files and Directories will have POSIX mode bits set according to the user’s system umask settings - Refer to your system’s documentation on how to modify your file system’s creation umask.
SMB (NTFS)
Qumulo\* denotes the local Domain name (Cluster Name) of your Qumulo cluster and “Admin” refers to the built in Qumulo Admin account, not the AD Domain Admin or Machine-local Admin account.
These are the permissions of the root directory of a newly created Qumulo Cluster, for example:
\\yournewqumulo.yourcompany.com\Files
One User Account and Two Groups are given rights to the root share by default:
-
Qumulo\admin (User): All ACEs except Full Control and Delete for “This folder only”
-
Qumulo\users (Group): “Modify” ACL for “This folder only”
-
Everyone (Group): “Modify” ACL for “This folder only”
Modify ACL
-
Traverse folder / execute file
-
List folder / read data
-
Read attributes
-
Read extended attributes
-
Read permissions
-
Create files / write data
-
Create folders / append data
-
Write attributes
-
Write extended attributes
-
Delete subfolders and files
Qumulo SMB Root Share
SMB user logged in as Qumulo\admin:
-
User will be able to create files and directories in the current and all future directories.
-
User will be able to read all files and file attributes and list all directories in the current and all future directories.
-
User will be able to delete or rename all files and directories in the current and all future directories
-
User will be able to change ownership and permissions for all files and directories in the current and all future directories
SMB user logged in as a non-admin member for the Qumulo\users group:
-
This is the default group that all non-Guest accounts belong to at time of account creation
-
User will be able to read all files and file attributes and list all directories in the root directory and any future directories created by other members of the Qumulo\users group in the root directory.
-
User will be able to rename, delete and modify permissions on any files or directories created by this user in the current directory and in any subsequent sub-directories created in this directory.
-
User will be able to create or append new files and directories in the root directory and in any subsequently created sub-directories. The new files and directories created will be owned by this user and will receive the following permissions:
-
File/Folder Creator - “Modify” ACL
-
Everyone (Group) - “Read” ACL
-
Qumulo\Users (Group) - “Read” ACL
-
Read ACL
-
Traverse folder / execute file
-
List folder / read data
-
Read attributes
-
Read extended attributes
-
Read permissions
Note that this means that any other non-Qumulo admin users will not be able to write to, rename, append, modify or take ownership of any of the directories and files created inside the Qumulo root share by the currently logged in user unless permission is implicitly given by the file owner or Qumulo admin. This includes all other non-admin members of the Qumulo\users group.
SMB user logged in as Guest
Guest access has to be enabled in the Sharing > SMB Shares panel by clicking on the pencil Edit icon next to the share name in the SMB Shares list.
- The Guest account belongs to the “Guests” Qumulo user group and is not a member of the Qumulo\users group
- The Guest account falls under the “Everyone” NTFS permissions group of the Qumulo root share
Guest will be able to create files and directories in the Qumulo share root directory as inherited by the root directories Everyone permissions ACL.
Files created by Guest will have the owner Qumulo\guest and receive the following permissions:
- Guest - “Modify” ACL
- Everyone (Group) - “Read” ACL
- Qumulo\Guests (Group) - “Read” ACL
Non Qumulo-admin members of other user groups will be able to read files and list directories created by Guest but will not be able to write to, append or modify those files or directories. Guest will be able modify permissions and change ownership of files and directories created by this account.
RESOLUTION
You should now have a general understanding of the default file permissions in Qumulo Core
ADDITIONAL RESOURCES
Like what you see? Share this article with your network!
Comments
0 comments