Question

AFS - Home directory permissions allow ALL users to read ALL home folders?

  • 14 August 2018
  • 7 replies
  • 1578 views

Userlevel 4
Badge +8
We just set up AFS. On the home directories, we expected that like a Windows home directory setup, the user would be the only person able to view their home folder. (and Domain Admins of course).

But, on AFS per this doc https://portal.nutanix.com/#/page/docs/details?targetId=Acropolis-File-Services-Guide-v20:Acropolis-File-Services-Guide-v20 and also per our experience it seems like ALL USERS can view everybody's folder and contents. This seems like a security problem since HOME directories are typically expected to allow only the user to view their data.

Is this by design? It seems like a significant security challenge and much different from how this would typically be set up on a Windows file server.

7 replies

Userlevel 2
Badge +7
is ABE enabled?
https://portal.nutanix.com/#/page/docs/details?targetId=Acropolis-File-Services-Guide-v22:afs-file-server-enable-abe-wc-t.html
Userlevel 7
Badge +35
Hi @jlackman did you see the reply from @manfred
Userlevel 4
Badge +8
Yes (see screenshot). I actually think this is by design. If you read the explanation in the Guide linked above, it says;

HOME SHARES
Domain administrator: Full access
Domain User: Read only
Creator Owner: Full access (inherited only)

To me that means that any domain user can READ all HOME folders. That's not what we want. I don't think anybody would want that. We can modify the permissions, but I think it is strange that it creates the HOME share with these default permissions.

Userlevel 4
Badge +18
Hi @jlackman

How are the home folders created? You are correct about the default permissions you mentioned above, but if the folder is system created we would expect that only the windows user which owns the home directory would have access to the folder. Access Based Enumeration can then restrict discovery of the directories at the root level if needed.

If the home folder creation is leading to inheritance then what you're seeing is indeed expected.

Thanks,
Mike
Userlevel 4
Badge +8
Hi @mmcghee

the "HOME" directory is created when AFS is installed; the Nutanix setup process automatically creates that folder. That's the crux of my recommendation; I would think the same process could create the HOME folder without giving all users read access then it could be ready for use as soon as created, without having to modify permissions. https://portal.nutanix.com/#/page/docs/details?targetId=Acropolis-File-Services-Guide-v20:Acropolis-File-Services-Guide-v20
We too would like to have user's homedirectories not readable by other users. However, directories created are readable by everyone. Is there a smart way to change this?
Userlevel 4
Badge +8
We too would like to have user's homedirectories not readable by other users. However, directories created are readable by everyone. Is there a smart way to change this?

You can manually change those permissions. That's what we did, just adjust the permissions to what we would expect on a traditional file server.

Reply