Buffalo NAS-Central Forums

Welcome to the Linkstation Wiki community
It is currently Thu Nov 23, 2017 6:45 am

All times are UTC+01:00




Post new topic  Reply to topic  [ 144 posts ]  Go to page Previous 16 7 8 9 10 Next
Author Message
PostPosted: Thu Sep 28, 2006 5:01 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
hmm...I understand that users need rwx permissions. But isn't the user the apache server user since I use mod_dav and apache?. Also, since each share in mnt/hda/<share> has 777 octal permissions, wouldn't that mean that all users have rwx permissions to the share? Do I need to give the apache usergroup ownership of the parent directory "/mnt/hda"?

When users login to webfolders/DAV-enabled (or regular http too) directories from a browser, they submit credentials that are in a Digest password file. Apache doesn't pass the username and password to the filesystem, so that's why I think the apache user would need the rwx permissions. For example, when I tested DAV on another Test directory (Not a share and also not on the data partition) and I uploaded a file through webfolders, the owner of the file was the apache user.

andre wrote:
chmod 2770 mkdir /mnt/hda/work

Sorry, I'm unfamiliar what the "2" does.

UPDATE: Nevermind the 2770 question, I figured out that's the octal number to set the GID bit (allow newly created directories to carry parent permissions if I'm not mistaken.

andre wrote:
If you need finer-grained permissions, you'll probably have compile a kernel 2.6.

Has kernel 2.6 been successfully compiled for mips yet? (I do wish I could use NTFS like permissions, but you're right, I need 2.6 to do that)

_________________
http://www.opifer.net


Top
   
PostPosted: Thu Sep 28, 2006 5:32 pm 
Offline
Site Admin
User avatar

Joined: Sun Jul 17, 2005 4:34 pm
Posts: 5332
You're right about the Apache user, you would give permisions to it ("www-data" instead of "work", I presume). I had a Samba or AFP setup in mind.

"2" is the group sticky bit (GUID; the SUID bit you might know better is "4"). "2" means all actions are performed "by the group" (man chmod). The result of "chmod 2770" looks like "rwxrws---". So all files would be owned by root:www-data; .htaccess would take care of the permissions on a higher level.

Kernel 2.6 isn't available for the LSII yet, but you sound tenacious enough to encourage you to compile one :)


Top
   
PostPosted: Thu Sep 28, 2006 5:50 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
@Andre
I understand now why you suggested setting the GID sticky-bit.

I'm hoing that the issue is truly permission related. I'll implement your suggestions to see if I can get this to work and post results. (It would be nice since I'd no longer require dynamic http, i.e. php, asp, and can remove all that junk off the LS2).

andre wrote:
Kernel 2.6 isn't available for the LSII yet, but you sound tenacious enough to encourage you to compile one

Perhaps if and when I purchase a LS Pro or another NAS. I looked at your list of differences between vanilla and linkstation-kernel and what needs to be done. I think I may be able to manage to accomplish a successful 2.6 mips kernel. It's just time...We'll see. I still gotta finish the LS1-ppc emulation script for PearPC :)

_________________
http://www.opifer.net


Top
   
PostPosted: Sat Sep 30, 2006 4:38 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
Hey guys, I still can't seem to figure the problem out.

@Andre - Should I chmod 2770 /mnt/hda to get this to work or just the shares? I'm curious as to whether the shares on mnt/hda are protected by something else. Do I need to samba authentication? It would be very strange if this was the case. In the error logs, I'm getting a lot of 500 response codes which indicate problems accessing the lock database. This does not make sense since the DavLock directory is drwxrwxrwx (777).

_________________
http://www.opifer.net


Top
   
PostPosted: Mon Oct 02, 2006 5:46 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
Hello, I think I'm going to need mod_encoding from http://webdav.todo.gr.jp/download

Has anyone actually compiled this mod for Apache 2? I can't even seem to find the source for this mod and Apache 2? Help on where I can specifically download this mod for Apache 2 any possibly an INSTALL file that's not in Japanese would be much appreciated (though I could translate a Japanese readme w/ Google).

UPDATE: mod_encoding doesn't work on Apache 2.2

Thanks

_________________
http://www.opifer.net


Top
   
PostPosted: Tue Oct 03, 2006 1:55 am 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
Ok, I've decided to discontinue the idea of using webDAV for these reasons:

1) There are just too many issues with MS 2000 and XP and trying to get dav to work.
2) Due to limited compability in a number of browsers.
3) File permissions are extremely difficult to work out as all DAVdir and their files must be owned by the the same user apache uses.

So, I guess I'm back to the drawing board here. Does anyone know of any decent solution of sharing the shares on the Linkstation through most modern web browsers while reading/writing files as Linkstation system users? The main problem with dav is that each share is owned by different users. Since the files in the shares are used locally (as the NAS was originally intended for), the files/shares must be owned by different system users. Dav doesn't allow for a way (or at least none I could find) to read/write to the dav-enabled shares as system users (i.e. Adam, Bill, Collin). I know there's is Davenport, but I can't even seem to get that to work (plus I need Java and other stuff installed).

Thanks guys for your help and patience with me.

_________________
http://www.opifer.net


Top
   
PostPosted: Tue Oct 03, 2006 4:44 am 
Offline
Site Admin
User avatar

Joined: Sun Jul 17, 2005 4:34 pm
Posts: 5332
I haven't dug into DAV too deeply myself. But the *X permissions are "stronger" than other permissions. Could you post your current system level settings please?


Top
   
PostPosted: Tue Oct 03, 2006 8:59 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
Code:
root@NETDRIVE:/mnt ls -l 
total 9
drwxr-xr-x  10 root root          hda
drwxrwxrwx  4  root  root        info
drwxrwxrwx  4  root  root        ram
drwxrwxrwx  4  root  root        usbdisk1
drwxrwxrwx  4  root  root        usbdisk2
drwxrwxrwx  4  root  root        usbinfo
 
 
root@NETDRIVE:/mnt/hda# ls -l
total 44
drwxrwxrwx  7  root  root        <share1>
drwxrwxrwx  4  root  root        <share2>
drwxrwxrwx  8  root  root        <share3>
drwxrwxrwx  5  root  root        <share4>
drwx-----      2  root  root        lost+found
drwxrwxrwx  12  root  root        <share6>
drwxrwxrwx  6  root  root        spool
drwxrwxrwx  2  root  root        <share8>
 
each files/dirs under each share are owned by the user and the usergroup: hdusers
 
i.e. all files in share1 are
-rwxrwxrwx  user1 hdusers
 
all dirs under share1 are
drwxrwxrwx  user1 hdusers
 
Apache user: httpd
Apache group: httpd




The samba config is setup so that each user has access to his and only his share. i.e. Alice only has access to share1 and no else (but me, the administrator) has access to her share. Here's my samba config file (with users and sharenames changed; also in this config, user "Jack" is an administrator:

Code:
[global] 
    client code page = 437
    workgroup = HOME
    server string = Network Storage
    socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
    dns proxy = No
    netbios name = NETDRIVE
    os level = 1
    wins server =
 
    security = user
    encrypt passwords = Yes
    obey pam restrictions = Yes
    pam password change = Yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*s
uccessfully*
    unix password sync = yes
    guest account = nobody
    null passwords = yes
    guest only = no
    username level = 12
    password level = 8
    map to guest = Bad User
 
    browsable = no
    preserve case = yes
    short preserve case = yes
    veto files = /.AppleDesktop/Network Trash Folder/TheVolumeSettingsFolder/.AppleDouble/.AppleDB/
    delete veto files = yes
 
    invalid users = mail, deamon, adt
    admin users = root
    username map = /etc/samba/smbusers
 
    getwd cache = yes
    printcap name = /etc/printcap
    load printers = yes
    printing = lprng
 
[lp]
    comment = Network Printer for Windows
    path = /mnt/hda/spool/samba
    print command = /usr/bin/lpr -Plp -r %s
    printer admin = root
    browsable = yes
    printable = yes
    public = yes
###lpr-win###
[info]
    comment = LinkStation information
    path = /mnt/info
    browsable = yes
    printable = no
    writable = no
    guest ok = yes
###info###
[alice]
    comment = Alice-Net
    path = /mnt/hda/alice
    browsable = yes
    printable = no
    writable = yes
    valid users = Administrator,Alice,Jack,
    force create mode = 777
    force directory mode = 777
    vfs object = /usr/lib/samba/recycle.so
    vfs options = /etc/samba/recycle.conf
###alice###
[brandon]
    comment = Brandon-Net
    path = /mnt/hda/brandon
    browsable = yes
    printable = no
    writable = yes
    valid users = Administrator,Brandon,Jack
    force create mode = 777
    force directory mode = 777
###brandon###
[collin]
    comment = Collin-Net
    path = /mnt/hda/collin
    browsable = yes
    printable = no
    writable = yes
    valid users = Administrator,Collin,Jack,
    force create mode = 777
    force directory mode = 777
###collin###
[dave]
    comment = Dave-Net
    path = /mnt/hda/dave
    browsable = yes
    printable = no
    writable = yes
    valid users = Administrator,Dave,Jack,
    force create mode = 777
    force directory mode = 777
###dave###
[erin]
    comment = Erin-Net
    path = /mnt/hda/erin
    browsable = yes
    printable = no
    writable = yes
    valid users = Administrator,Erin,Jack,
    force create mode = 777
    force directory mode = 777
    vfs object = /usr/lib/samba/recycle.so
    vfs options = /etc/samba/recycle.conf
###erin###
[jack]
    comment = Jack-Net
    path = /mnt/hda/jack
    browsable = yes
    printable = no
    writable = yes
    valid users = Administrator,Jack,
    force create mode = 777
    force directory mode = 777
    vfs object = /usr/lib/samba/recycle.so
    vfs options = /etc/samba/recycle.conf
###jack###
#####END#####


I'm not sure if else you want know (i.e. more directives from httpd.conf, login.defs, etc.), just let me know.

Any other commands (i.e. grep) you want me to run and post?

Thanks

_________________
http://www.opifer.net


Top
   
PostPosted: Thu Oct 05, 2006 3:03 am 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
Hey guys, I just want to thank dc2447 and Andre for helping with trying to get DAV to work. Unfornately, as I stated above, DAV is not a feasible solution as either the Apache user or group must own dav-enabled shares under /mnt/hda. This will not work well as these shares are also accessed locally. Furthermore, I've been adviced by Apache Group that Dav enable dirs should be left accessible only through DAV and should not be accessed locally for file-locking and user-ownership issues. Therefore, I will suspend this idea of using DAV. Again, must thanks here for the ideas, help, and insite.

Again (I think I asked before, unsure as this topic is really long now :) ) does anyone know of a web-based file-sharing/file-manager that writes to the shares as linux system users? Thanks

_________________
http://www.opifer.net


Top
   
PostPosted: Thu Oct 05, 2006 4:37 am 
Offline
Site Admin
User avatar

Joined: Sun Jul 17, 2005 4:34 pm
Posts: 5332
I was too busy to answer ealier. -- If you make your shares user[1-n]:httpd 2770 (i.e., accessible for a single user), you should get what you want, except for the local availability. For this, you would have to addgroup httpd hdusers, and make the shares user[1-n]:hdusers 2770 (i.e., accessible for everyone in group hdusers). In a next step, you should adjust smb.conf accordingly.


Top
   
PostPosted: Thu Oct 05, 2006 8:19 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
Hey Andre:

andre wrote:
I was too busy to answer ealier

No prob. Didn't mean to sound pushy :)

For clarification, you're suggesting that I chown the shares to the apache group "httpd", but I won't have local availability; in order to do so, I move apache user "httpd" from group "httpd" to the samba user group "hdusers"? Consequently, I'd also have to set Apache to run under group "hdusers" I assume.

I also assume that you're suggesting to chmod the shares 2770, not all the files underneath recursively.

Please correct me if I'm wrong-- I'll give this a shot. Thanks.

Oh, in your honest opinion, is it wise to change the ownership of the share from root:root to user[1-n]:hdusers? I guess I was wondering why the Linkstation firmware default setting for the shares are root:root. Are there any specific repercussions for changing the ownership of the share folders? I can't think of any security wise (other than a hacker deleting shares possibly through apache), but I figured I'd ask since Buffalo must have done this for some reason.

_________________
http://www.opifer.net


Top
   
PostPosted: Thu Oct 05, 2006 8:40 pm 
Offline
Site Admin
User avatar

Joined: Sun Jul 17, 2005 4:34 pm
Posts: 5332
Leave Apache in group "httpd". Add the "httpd" group to the "hdusers" group.

addgroup httpd hdusers
chown -R alice:hdusers /mnt/hda/alice
chmod 2770 /mnt/hda/alice

should do. Use with caution though, this is untested.


Top
   
PostPosted: Thu Oct 05, 2006 10:00 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
I'll give it a shot.

andre wrote:
Use with caution though, this is untested


I figured this, I guess if this work (at least functionally) I'll be the one to test this.

Should I make "hdusers" as the default login group (01) for httpd? Leaving Apache as group "httpd" and user httpd's default group login "httpd", Apache tries to write files the share as httpd:httpd not httpd:hdusers.

_________________
http://www.opifer.net


Top
   
PostPosted: Fri Oct 06, 2006 12:19 am 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
Ok, I did exactly what you said, I still can't DAV to function correctly (sorry, but I'm getting really annoyed). I keep scratching my head. Apache has read/write permission now to /mnt/hda and all shares underneath. For some reason, I cannot restrict users from the shares using any Apache directives. It's gotten so stupid that even when /mnt/hda is not password protected (see what I commented out below), I still can't restrict shares correctly. For example:

Code:
DocumentRoot "/mnt/hda" 
 
<Directory "/mnt/hda">
    Options Indexes FollowSymLinks
    Order Deny,Allow
    Allow from All
    Dav On
#    AuthType Digest
#    AuthName "Restricted Area"
#    AuthUserFile /home/mydomain/.htpasswd
#    AuthGroupFile /dev/null
#    require user Alice Brandon
</Directory>
 
 
Alias /test "/mnt/hda/test"
<Directory "/mnt/hda/test">
    Options Indexes
    Order Deny,Allow
    Allow from All
    Dav On
    AuthType Digest
    AuthName "Restricted Area"
    AuthUserFile /home/mydomain/.htpasswd
    AuthGroupFile /dev/null
    require user Alice Brandon
    <LimitExcept none>
      require user Brandon
    </LimitExcept>
</Directory>


The above directive should Alice from accessing /mnt/hda/test . As usual, it will not. Restrictions will work if only "require Brandon" (which I would use if I could get the secure doc root protected), but my in trying to use LimitExcept to restrict http methods it doesn't work.

So, either I'm getting really frustrated and therefore stupid, or something is seriously goofed up. Ideally, I need to password protect the secure doc root, but then DAV does not work for the shares. (i.e. uncommenting the above renders DAV useless).

Logic tells me that there's something "special" about /mnt/hda on the Linkstation, perhaps some sort of Buffalo file protection scheme that's preventing DAV from working correctly. Or, perhaps XP is broken even more and won't pass credentials subdirs in webFolders. I don't have access at the moment to my Red Had system to check this on linux. All I know is this behavior is the same for three XP SP2 comps.

_________________
http://www.opifer.net


Top
   
PostPosted: Fri Oct 06, 2006 1:55 am 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
Ok, I feel a little bit better now :) I've concluded that the main problem is xp and AuthDigest. Basically, Microsoft messed everything up by insisting that one use only protocols that they approve of (That's also why their DAV client --webfolders does not conform completely to the DAV protocol). Anyway, I switched to BASIC, though my boss thinks I'm safer user DIGEST, this connection is only being offered through SSL, so credentials are still encrypted. Sorry for my previous rantings.

I'll post my results after I convert all the directives over.

_________________
http://www.opifer.net


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 144 posts ]  Go to page Previous 16 7 8 9 10 Next

All times are UTC+01:00


Who is online

Users browsing this forum: Bing [Bot] and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron
Powered by phpBB® Forum Software © phpBB Limited