Share And Folder Security Overview - Overland Storage SnapServer Administrator's Manual

SnapServer 7.0 Administrator's Guide
Files and directories in a Windows root directory can have either a Windows or Unix
security personality, depending on the network protocol used to create the file or change
permissions on it. Files in a Unix security model always have the Unix security personality
and can only be set by NFS clients.

Share and Folder Security Overview

SnapServers support file access in Windows, Unix, and Apple networks, as well as access
via FTP and HTTP. Although GuardianOS runs on an optimized Linux kernel and has
many Linux characteristics, the cross-platform features make it very different than a pure
Linux distribution. Systems running GuardianOS are storage appliances dedicated to file
services. Administrators should not expect the same behavior as a pure Linux system when
administering a SnapServer.
By default, volumes are created with the Windows/Mixed security model (Windows-style
ACLs for files created by SMB clients and Unix-style permissions for files created by other
protocols and processes), and allow all users to create, delete, and configure permissions on
their own files and to access files and directories created by other users.
New shares are created by default with full read-write access to all users, subject to the
filesystem permissions on the share target directory. The first step to securing a
SnapServer is to specify access at the individual share level. Administrators can assign
Read/Write or Read-Only share access to individual Windows (and local) users and groups.
Hidden Shares
There are three ways a share can be hidden in GuardianOS:
• Name the share with a dollar-sign ($) at the end. This is the traditional Windows
method of hiding shares; however, it does not truly hide the share since Windows
clients themselves filter the shares from share lists. Other protocols can still see
dollar-sign shares.
• Hide the share from all protocols (except NFS) by navigating to Security > Shares >
Create Share > Advanced Share Properties
or by selecting a share, clicking to expand Advanced Share Properties, and selecting the
Hide this Share checkbox. When a share is hidden this way, the share is invisible to
clients, and must be explicitly specified to gain access.
NOTE: Hidden shares are not hidden from NFS, which cannot access invisible shares. To hide
• Disable individual protocol access to certain shares by navigating to Security > Shares
> Create Share > Advanced Share Properties
protocols, or by selecting a share, clicking to expand Advanced Share Properties, and
enabling or disabling specific protocols.
File and Directory Permissions
GuardianOS supports two "personalities" of filesystem security on files and directories:
• Unix: Traditional Unix permissions (rwx) for owner, group owner, and other.
• Windows ACLs: Windows NTFS-style filesystem permissions. Windows ACLs fully
support the semantics of NTFS ACLs, including configuration, enforcement, and
inheritance models (not including the behavior of some built-in Windows users and
groups).
10400317-001 10/2011
shares from NFS, consider disabling NFS access to the hidden shares.
©2010-11 Overland Storage, Inc.
and selecting the Hide this Share checkbox,
and enabling/disabling specific
7 – Security Options
7-7