Forums

Resolved
0 votes
I'm using File Access Control List for extended permissions in ClearOS 7. CO does not specifically support this from the GUI but it does not prohibit it either. the getfacl and setfacl commands work from the shell and the same thing can be accomplished from Windows with a right click on the file or folder.

I've got a 2nd group of users to access a share by manually tweaking the flexshare.config settings so that I can give individual users specific access to specific folders. It's a very good thing to be able to do. This can be accomplished from the WebGUI in FreeNAS. The folders the user has no access to simply don't show up for them.

However FTP does not seem to respect the FACL settings. Instead it won't allow any from the guest group to see the contents. A line in /etc/proftp.d/flex-21.conf partially solves the problem;
HideNoAccess off

But then all the directories are visible including the ones the user gets blocked from.

I have determined that it's not using FACL and simply going on basic Linux permissions like the rest of ClearOS.

I don't know if I'm missing an obvious thing I'm supposed to install such as Active Directory or if this is a feature request or simply help with a workaround.

How do I get mod_facl into ClearOS Proftp?

I do think ClearOS would be better if it could do FACL properly.
Friday, November 20 2020, 04:18 PM
Share this post:
Responses (3)
  • Accepted Answer

    Saturday, November 21 2020, 11:46 AM - #Permalink
    Resolved
    1 votes
    From http://www.proftpd.org/docs/modules/mod_facl.html it tells you how to build ProFTPd with facl support. Looking at the EPEL sources (we use their package), it looks like they build with:
    --enable-facl --with-shared=mod_facl:........
    This looks slightly different but may be functionally the same. I have no idea. So there may be facl support built in. Again looking at the docs there is a parameter "FACLEngine on|off" which defaults to on so should not be needed (and does not appear in proftpd.conf or /etc/proftpd.d/*.conf).

    Longer term, for shares, I think that setting facl's in ClearOS should be avoided and it should be done in Windows instead. If we end up with ClearOS as an AD/DC then ACL's in samba will use a VFS module when set by WIndows, but possibly not when set using setfacl. However that is for the longer term and not now.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, November 21 2020, 12:22 PM - #Permalink
    Resolved
    0 votes
    Hello Nick,

    I should inspect the logs (I hate doing that) but from ProFTP's behaviour it's ignoring FACL.
    HideNoAccess ON
    makes directories vanish from my user who can see them from Windows.

    I don't yet know how to build ProFTP inside ClearOS but it sounds like I need to do that. Then perhaps it will respect FACL settings.

    Longer term I do think ClearOS should be more aware of FACL even if it does not directly set it, let the Windows user do that. The thing I did was remove
    valid users =
    from flexshares.conf for SAMBA;

    smb.conf
    # ACL
    vfs objects = acl_xattr
    map acl inherit = yes
    access based share enum = yes


    flexshare.config
    #	valid users = @"%D\staff", @"staff"
    veto files = /.flexshare*/

    nsf4:chown = true
    nsf4:acedup = merge
    access based share enum = yes
    ea support = true

    hide unreadable =yes
    hide unwriteable files = no



    Those changes allowed me user level file access control from Windows.
    Not a huge thing to add into the GUI

    Thanks.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, November 21 2020, 01:02 PM - #Permalink
    Resolved
    0 votes
    Wayland Sothcott wrote:
    I don't yet know how to build ProFTP inside ClearOS but it sounds like I need to do that. Then perhaps it will respect FACL settings.

    I am not so sure. I think the EPEL version is building correctly. Perhaps similar to flexshares, it has something to do with the "AllowGroup" setting in /etc/proftpd.d/flex-21.conf and /etc/proftpd.d/flex-990.conf


    Not a huge thing to add into the GUI
    Probably bigger than you think as flexshare configs get stored in a non-standard way in /etc/clearos/flexshare.conf. They also impact FTP (as you've seen) and Websites.
    The reply is currently minimized Show
Your Reply