Author Topic: FlexRAID pool bypasses file read permissions?  (Read 1636 times)

Offline gman7234

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
FlexRAID pool bypasses file read permissions?
« on: February 10, 2013, 02:10:32 pm »
It seems FlexRAID is bypassing file system permissions somehow.  I feel this could be a potentially exploitable security flaw.  Is this a known issue, design constraint, or did I do something wrong?  Check out the attachment and sorry if this has already been answered.


Offline Brahim

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 8,547
  • Karma: +204/-16
    • View Profile
Re: FlexRAID pool bypasses file read permissions?
« Reply #1 on: February 10, 2013, 02:22:53 pm »
By design.
Permissions are bypassed only in the context that you are sharing the pool with other users (otherwise, they don't have access to it).
Add your restrictions at the share level.

Offline gman7234

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: FlexRAID pool bypasses file read permissions?
« Reply #2 on: February 10, 2013, 03:20:47 pm »
Ok that will be sufficient for my use but is there any way to and/or are there plans to honor the permissions as the file level?   

Offline Brahim

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 8,547
  • Karma: +204/-16
    • View Profile
Re: FlexRAID pool bypasses file read permissions?
« Reply #3 on: February 10, 2013, 04:44:38 pm »
It is honored at the file level.
Again, you are granting others to have the same permission as you when you share it.
Any additional restriction must be applied at the share level.

Offline gman7234

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: FlexRAID pool bypasses file read permissions?
« Reply #4 on: February 10, 2013, 06:03:15 pm »
I understand limiting at the share level but file level is lower than share level so it should take precedence.  So I guess I'm asking if this is possible or is it too expensive computationally? 

For example, in the attachment I gave, you see clearly that no users have read access on the file inside the pool.  Yet I am able to read the file just fine, even logged in as a limited user on the system.  This is not the case with "shares" outside of the FlexRAID_POOL directory as if the user does not have read authority, they are not able to read . 

This tells me that this stuff is being accessed as root and the file system permissions are ignored.  This is a concern in a production environment with both samba and shell users.

However, I will admit that maybe there is a better way to set up users on the system to somehow prevent this.  I just don't see it yet and feel that the file system permissions should be honored fully from inside the share.  Again, not critical for my immediate need but maybe a feature request?

Thanks and sorry for being a pain.