We just set up AFS. On the home directories, we expected that like a Windows home directory setup, the user would be the only person able to view their home folder. (and Domain Admins of course).
But, on AFS per this doc https://portal.nutanix.com/#/page/docs/details?targetId=Acropolis-File-Services-Guide-v20:Acropolis-File-Services-Guide-v20 and also per our experience it seems like ALL USERS can view everybody's folder and contents. This seems like a security problem since HOME directories are typically expected to allow only the user to view their data.
Is this by design? It seems like a significant security challenge and much different from how this would typically be set up on a Windows file server.
Page 1 / 1
is ABE enabled?
https://portal.nutanix.com/#/page/docs/details?targetId=Acropolis-File-Services-Guide-v22:afs-file-server-enable-abe-wc-t.html
https://portal.nutanix.com/#/page/docs/details?targetId=Acropolis-File-Services-Guide-v22:afs-file-server-enable-abe-wc-t.html
Hi @jlackman did you see the reply from @manfred
Yes (see screenshot). I actually think this is by design. If you read the explanation in the Guide linked above, it says;
HOME SHARES
Domain administrator: Full access
Domain User: Read only
Creator Owner: Full access (inherited only)
To me that means that any domain user can READ all HOME folders. That's not what we want. I don't think anybody would want that. We can modify the permissions, but I think it is strange that it creates the HOME share with these default permissions.
HOME SHARES
Domain administrator: Full access
Domain User: Read only
Creator Owner: Full access (inherited only)
To me that means that any domain user can READ all HOME folders. That's not what we want. I don't think anybody would want that. We can modify the permissions, but I think it is strange that it creates the HOME share with these default permissions.
Hi @jlackman
How are the home folders created? You are correct about the default permissions you mentioned above, but if the folder is system created we would expect that only the windows user which owns the home directory would have access to the folder. Access Based Enumeration can then restrict discovery of the directories at the root level if needed.
If the home folder creation is leading to inheritance then what you're seeing is indeed expected.
Thanks,
Mike
How are the home folders created? You are correct about the default permissions you mentioned above, but if the folder is system created we would expect that only the windows user which owns the home directory would have access to the folder. Access Based Enumeration can then restrict discovery of the directories at the root level if needed.
If the home folder creation is leading to inheritance then what you're seeing is indeed expected.
Thanks,
Mike
Hi @mmcghee
the "HOME" directory is created when AFS is installed; the Nutanix setup process automatically creates that folder. That's the crux of my recommendation; I would think the same process could create the HOME folder without giving all users read access then it could be ready for use as soon as created, without having to modify permissions. https://portal.nutanix.com/#/page/docs/details?targetId=Acropolis-File-Services-Guide-v20:Acropolis-File-Services-Guide-v20
the "HOME" directory is created when AFS is installed; the Nutanix setup process automatically creates that folder. That's the crux of my recommendation; I would think the same process could create the HOME folder without giving all users read access then it could be ready for use as soon as created, without having to modify permissions. https://portal.nutanix.com/#/page/docs/details?targetId=Acropolis-File-Services-Guide-v20:Acropolis-File-Services-Guide-v20
We too would like to have user's homedirectories not readable by other users. However, directories created are readable by everyone. Is there a smart way to change this?
You can manually change those permissions. That's what we did, just adjust the permissions to what we would expect on a traditional file server.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.