Topic: IBay wide open?

[DragonDon]

In the ongoing process that is my learning, I read something about IBay permissions that seemed to confuse me.

According to:  http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter14

"If an i-bay is set for no public access via web or anonymous ftp, users connecting to the i-bay through Windows or Macintosh file sharing will see only the contents of the files directory. However, if the i-bay settings are later changed to allow public access through web or anonymous ftp, users connecting through file sharing will then see the top-level directory of the i-bay with the three subdirectories of html, files and cgi-bin."

Yet an ibay I created and allowed only 'local network - no password' can see all levels through a windows share.

ibay - 'backup'
- write/read set to group
- access: local network, no password

If "no public access" is set, why can a user with a mapped drive see more than "only the contents of the files directory"

Am I mis-interpreting 'public access' to mean 'anything but the internet'?  Or better worded, does 'no public access' mean only inside the server and as soon as you say 'local network' that then becomes 'public access'?

[janet]

DragonDon

Am I mis-interpreting 'public access' to mean 'anything but the internet'?  Or better worded, does 'no public access' mean only inside the server and as soon as you say 'local network' that then becomes 'public access'?

public access is from anywhere other than your local network
private access is from your local network only (which includes VPN access from external locations)

So "no public access" would mean only users on your local network can have access,
and "local network" implies private access.

[DragonDon]

Hi Mary,

Thanks for the clarification.  I still need some guidance in understanding why mapped network dsrives from users can see more than just files folder.

"users connecting to the i-bay through Windows or Macintosh file sharing will see only the contents of the files directory"

Is the above quote from the manual purely talking about setting up a 'default group' with no modifications to security levels?   

Actually, that doesn't help either.  Default permissions are 'write - admin, read - group'.

So I have a user 'user1' who is part of a group 'bupusers'(backup users).  I created an IBay called 'backup'.

IBay permissions:  write - group, read - group
    - Public access via web or anonymous ftp:  Local network (no password)

bupusers group users:  user1

What is concerning me is that user1 can see all folders and not " only the contents of the files directory".

Checking folder permissions directly.


drwxr-xr-x  6 root      root      4096 Apr 24 22:54 backup

So the owner is root and the group is root.

Further checking shows that all folders beneath belong to the 'bupusers' group and the owners is root.

So, why is a non-admin user able to see all folders?

When I mapped the drive, I mapped it to \\smeservername\backup  and connected with 'user1'.  Shouldn't that have failed because 'user1' is not part of the 'root' group?

[janet]

DragonDon

The only ibay setting that creates the situation where the ibay does not act like a web accessible share is
No access.
All other setting choices enable the ibay for web access (using a web browser), be it limited to local network only (private) or wide open to everyone on the Internet (public).

Whenever the ibay is enabled for web access, then all the folders will be visible when accessed from a Windows/samba share or similar. I am not referring to web browser access, but the likes of My Network Places in Windows Explorer.

If web access is disabled ie (No Access setting) then users will only see files in what appears to be the main ibay name, they will not see the .../files folder, it is actually hidden from view.
If web access is enabled, then those same files will now appear to be in a subfolder of the ibay called .../files

What is concerning me is that user1 can see all folders and not "only the contents of the files directory".

I suggest you change the access permission in the ibay setup to
No access
You can then access the files via Windows share/samba, but you will not be able to access the files locally (privately) or externally (publicly) via a web browser
ie on a web enabled ibay this would be at http://yourdomain/ibayname

Hope that clarifies it and makes sense to you.

[jphilip]

Dragondon

To be clear is user1 seeing the html folder or its contents or is your concern that they can see all folders below and including the files folder. If the latter this is standard since sub-folders are part of 'contents of the files directory'

[DragonDon]

The concern is that the user can see all 4 folders within the users directory instead of "only the contents of the files directory".  Which to me, 'files' means "/files' directory under the /ibays/user1....hmmm, I need to revisit my setup.  I'll start a new thread to verify my setup is right in the first place.

[idp_qbn]

DragonDon,
Basically, the only setting that locks out the other directories and only allows users access to the "files" directory is:
Public access via web or anonymous ftp : "No access"

Anything else lets the user see all directories in that Ibay......they may or may not not have permission to read/write into them (you can set a password on an Ibay) but they can certainly see the directories.

Cheers
Ian