Difference between revisions of "SharedFolders"
m (Removed the Pydio note of being available only on SME8) |
|||
(40 intermediate revisions by 10 users not shown) | |||
Line 1: | Line 1: | ||
{{Languages}} | {{Languages}} | ||
− | + | {{usefulnote}} | |
− | |||
===Maintainer=== | ===Maintainer=== | ||
[[User:VIP-ire|Daniel B.]]<br/> | [[User:VIP-ire|Daniel B.]]<br/> | ||
Line 16: | Line 15: | ||
=== Requirements === | === Requirements === | ||
− | *SME Server 7.X | + | *Min SME Server 7.X |
− | === Installation === | + | === Installation 8.x and 9.x=== |
*install the rpms | *install the rpms | ||
Line 27: | Line 26: | ||
If you use a standard SME server installation: | If you use a standard SME server installation: | ||
− | signal-event post-upgrade | + | signal-event post-upgrade; signal-event reboot |
should do the trick. | should do the trick. | ||
If you don't like to reboot your server every time you install something (just like me :)), you can just run: | If you don't like to reboot your server every time you install something (just like me :)), you can just run: | ||
Line 66: | Line 65: | ||
=== Screenshots === | === Screenshots === | ||
− | [[File:shares_main.png | + | [[File:shares_main.png|center|Shared Folders main menu]] |
− | [[File:shares_modify.png | + | [[File:shares_modify.png|center|Create or modify a shared folder]] |
+ | |||
+ | [[File:Shared_folders_permissions.png|center|Configure permissions]] | ||
=== Features === | === Features === | ||
− | A lot of options are available in the panel. When you create a new shared folder, or modify an existing one, the page is divided in | + | A lot of options are available in the panel. When you create a new shared folder, or modify an existing one, the page is divided in up to 5 parts (depending on other packages you might have installed like encfs and Pydio): |
* The first part let you enter a name and a comment for this shared folder. This part works exactly the same way than ibay. An initial limit of 12 characters exists for the name. You can raise this value with | * The first part let you enter a name and a comment for this shared folder. This part works exactly the same way than ibay. An initial limit of 12 characters exists for the name. You can raise this value with | ||
db configuration set maxShareNameLength 16 | db configuration set maxShareNameLength 16 | ||
− | * The second part | + | * The second part lets you configure access to this shared folder using the SMB/CIFS protocol. There's three drop down menus |
− | + | **'''SMB Access''' lets you configure the type of access: '''none''' (no access), '''enabled and browse-able''' (enabled, and visible if you browse available shares of the server) or '''enabled, hidden''' (enabled, but you need to know the exact name to access it) | |
− | |||
− | **'''SMB Access''' lets you configure the type of access: '''none''' (no access), '''enabled and | ||
**'''Recycle bin''' lets you configure a network recycle bin option available in samba. Available options are '''none''' (recycle bin is disabled), '''enabled, keep only the latest version''' (enable the recycle bin, but only keep the latest version if two file with the same name are deleted), or '''enabled, keep a copy of all versions''' (enable the recycle bin and keep a copy of every file deleted). When the recycle bin is enabled, if a user delete a file, instead of removing it from the server, samba will move it the the '''Recycle Bin''' directory at the top of the shared folder. | **'''Recycle bin''' lets you configure a network recycle bin option available in samba. Available options are '''none''' (recycle bin is disabled), '''enabled, keep only the latest version''' (enable the recycle bin, but only keep the latest version if two file with the same name are deleted), or '''enabled, keep a copy of all versions''' (enable the recycle bin and keep a copy of every file deleted). When the recycle bin is enabled, if a user delete a file, instead of removing it from the server, samba will move it the the '''Recycle Bin''' directory at the top of the shared folder. | ||
+ | **'''Recycle Bin Retention''': lets you define the retention time of file in the recycle bin. After this period of time, files are deleted. | ||
− | * The | + | * The third part lets you configure access to this shared folder using the HTTP/HTTPS protocol. There're also several options: |
**'''Web Access''': works like ibays. The only difference is that when a password is required, users have to use their own login/password instead of a global one. Users need at least read access to this share or they won't be allowed. This setting is only for web access, not FTP. | **'''Web Access''': works like ibays. The only difference is that when a password is required, users have to use their own login/password instead of a global one. Users need at least read access to this share or they won't be allowed. This setting is only for web access, not FTP. | ||
− | **'''WebDav Support''': Enable webdav on this share. Only effective if Web Access is enabled | + | **'''WebDav Support''': Enable webdav on this share. Only effective if Web Access is enabled. Write access with WedDav will always require to login. |
**'''Force secure connections''': if enabled, all the requests will be redirected to use the HTTPS protocol. The redirection is transparent. This is highly recommended if a password is required. | **'''Force secure connections''': if enabled, all the requests will be redirected to use the HTTPS protocol. The redirection is transparent. This is highly recommended if a password is required. | ||
**'''Indexes''': Let you control if the server should generate an index of all the files if no index.html file is found. You can disable it if you don't want everyone to have access to the list of files. This setting is global for the shared folder, I mean, if enabled, any directory which doesn't have a index.html file will be indexed. | **'''Indexes''': Let you control if the server should generate an index of all the files if no index.html file is found. You can disable it if you don't want everyone to have access to the list of files. This setting is global for the shared folder, I mean, if enabled, any directory which doesn't have a index.html file will be indexed. | ||
**'''Dynamic content execution (PHP, CGI, SSI)''': this enable the execution of PHP script. If disabled files with php, php3, phtml, cgi or pl as extension won't be allowed. If enabled, you can create a directory named "cgi-bin" in your shared folder. It will allow execution of cgi scripts | **'''Dynamic content execution (PHP, CGI, SSI)''': this enable the execution of PHP script. If disabled files with php, php3, phtml, cgi or pl as extension won't be allowed. If enabled, you can create a directory named "cgi-bin" in your shared folder. It will allow execution of cgi scripts | ||
− | === | + | {{warning box|IP addresses and networks which are allowed to access the server-manager (in Security -> Remote Access -> Remote Management) will be considered local for web access. This means those IP and networks will have access to shared folders which are restricted to local networks}} |
− | If you install the [[ | + | |
+ | === Pydio === | ||
+ | If you install the [[Pydio]] contrib, you'll have a new option displayed in the configuration of the shared folders. With this, you can easily enable the access of any shared folders through Pydio. | ||
− | == Limitations of | + | ==== Limitations of Pydio ==== |
− | * You cannot work with | + | * You cannot work with files bigger than 2GB, this is a limitation of PHP on 32 Bits system |
+ | * Files uploaded with Pydio will not be counted for quota limitations (same applies for WebDav uploads). This is because the file will belong to www user, and not the real user. | ||
=== Encryption === | === Encryption === | ||
− | |||
− | |||
− | yum --enablerepo= | + | Since smeserver-shared-folders-0.1-50, you can now encrypt all the data stored in a shared folder. For this to work, you first have to install fuse-encfs from the [[Epel|EPEL]] repository |
+ | |||
+ | {{:epel|transcludesection=epel8}} | ||
+ | |||
+ | After adding it to the database updating the configuration file is required by issuing: | ||
+ | |||
+ | signal-event yum-modify | ||
+ | |||
+ | To install fuse-encfs on sme8 | ||
+ | yum --enablerepo=epel install fuse-encfs | ||
+ | |||
− | + | To install fuse-encfs on sme9 | |
+ | yum --enablerepo=smecontribs --enablerepo=epel install fuse-encfs | ||
− | + | After installing fuse-encfs, make sure the fuse module is loaded | |
lsmod | grep fuse | lsmod | grep fuse | ||
− | Now, when you create a new shared folder, you have a new option to encrypt the data. You'll have to type a password, and to select '''enabled''' for the encryption. An encrypted shared folders can be | + | Now, when you create a new shared folder, you have a new option to encrypt the data. You'll have to type a password, and to select '''enabled''' for the encryption.<br /><br /> |
+ | |||
+ | |||
+ | '''An encrypted shared folders can be "protected" or "enabled" and contains for each state a different corresponding data''' ( = a shared folder get a data for "enable" and another for "protected"): | ||
+ | * When the share is "protected", you can write to it: files written to the server while the share is protected will not be encrypted, instead, it'll be directly stored into the files folder in the share. | ||
+ | * When the share is "enabled", you mount the .store folder over the files folder, using encfs. When this happens, the cleartext dataset (stored directly in files) will be hidden, and you have access to a second, completely separated data set. The data you write when the share is enabled will be encrypted on the fly, and stored in the .store folder. | ||
+ | :As soon as you "protect" the share (or when the inactivity timeout occurres), the encrypted volume is unmounted, and you get the unencrypted share available again | ||
+ | |||
+ | Changing the state of an encrypted shared folder can be done through the 'Shared Folder Encryption' panel in the server-manager. | ||
+ | You can grant access to this panel to all users using the [[UserManager]] contrib. Users will only be able to toggle mode of shared folders they have access to (and of course, they need to know the correct password). | ||
+ | |||
+ | '''''Note:''''' If already mounted, Samba looses the access to the shared folder if its status "protected"/"enabled" is modified. Then the share must be umounted and mounted again to get access to the other data set. | ||
+ | |||
− | == Limitations with encryption == | + | ==== Limitations with encryption ==== |
Before using encryption on a shared folder, you should be aware of some limitations: | Before using encryption on a shared folder, you should be aware of some limitations: | ||
* Encryption is done on the fly in user-space using encfs, accessing data may be a bit slower when encryption is enabled | * Encryption is done on the fly in user-space using encfs, accessing data may be a bit slower when encryption is enabled | ||
Line 118: | Line 142: | ||
Some advanced settings are not available on the panel, but only with db commands: | Some advanced settings are not available on the panel, but only with db commands: | ||
+ | {| class="wikitable" | ||
+ | |- | ||
+ | ! Database !! Key !! Key type | ||
+ | |- | ||
+ | | accounts | ||
+ | | [name of share] | ||
+ | | share | ||
+ | |} | ||
+ | |||
+ | |||
*Various options | *Various options | ||
− | + | {| class="wikitable" | |
+ | |- | ||
+ | ! Option !! Value !! Default !! Description | ||
+ | |- | ||
+ | | ManualPermissions | ||
+ | | enabled / disabled | ||
+ | | disabled | ||
+ | | if you set this key to enabled, the permissions will only affect web access (HTTP, WebDav, Pydio), and will not touch the permissions on the file system. This can be used to host web applications with custom permissions. | ||
+ | |- | ||
+ | | Hide | ||
+ | | yes / no | ||
+ | | no | ||
+ | | If set to yes, this share will not be listed in the server-manager | ||
+ | |- | ||
+ | | Removable | ||
+ | | yes / no | ||
+ | | yes | ||
+ | | If set to no, you won't be able to remove this share through the server-manager | ||
+ | |- | ||
+ | | Audit | ||
+ | | enabled / disabled | ||
+ | | enabled | ||
+ | | Enable or disable activity logging in /var/log/messages | ||
+ | |} | ||
*Options for Web access: | *Options for Web access: | ||
+ | |||
**'''AllowOverride''': You can configure the AllowOverride directive of apache if web access is enabled. See this [http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride page] for a list of available option | **'''AllowOverride''': You can configure the AllowOverride directive of apache if web access is enabled. See this [http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride page] for a list of available option | ||
**'''FollowSymLinks''': (enabled|disabled). Should apache follows symlinks ? | **'''FollowSymLinks''': (enabled|disabled). Should apache follows symlinks ? | ||
Line 143: | Line 201: | ||
* There's no access using the atalk protocol. I don't have any MAC OS here to test the feature, and anyway newer MAC OS can access SMB shares so I don't think it's a big problem | * There's no access using the atalk protocol. I don't have any MAC OS here to test the feature, and anyway newer MAC OS can access SMB shares so I don't think it's a big problem | ||
− | |||
* there's no support for [[ShadowCopy]]. I may add this in the future | * there's no support for [[ShadowCopy]]. I may add this in the future | ||
* You cannot choose a shared folder as the content of a virtual domain. This is because it'd require a modification of a core package | * You cannot choose a shared folder as the content of a virtual domain. This is because it'd require a modification of a core package | ||
Line 161: | Line 218: | ||
=== Source === | === Source === | ||
− | The source for this contrib can be found in the smeserver [http://smeserver.cvs.sourceforge.net/ | + | The source for this contrib can be found in the smeserver [http://smeserver.cvs.sourceforge.net/viewvc/smecontribs/rpms/smeserver-shared-folders/ CVS] on sourceforge. |
+ | |||
=== Bugs === | === Bugs === | ||
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla] | Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla] | ||
and select the smeserver-shared-folders component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-shared-folders|title=this link}} | and select the smeserver-shared-folders component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-shared-folders|title=this link}} | ||
+ | |||
+ | Below is an overview of the current issues for this contrib: | ||
+ | {{#bugzilla:columns=id,product,version,status,summary | ||
+ | |sort=id | ||
+ | |order=desc | ||
+ | |component=smeserver-shared-folders | ||
+ | |noresultsmessage=No open bugs found.}} | ||
---- | ---- | ||
[[Category:Contrib]] | [[Category:Contrib]] | ||
[[Category:Administration:File and Directory Access]] | [[Category:Administration:File and Directory Access]] |
Latest revision as of 20:44, 10 December 2016
Is this article helpful to you?
Please consider donating or volunteering
Thank you!
Maintainer
Daniel B.
Firewall Services
mailto:daniel@firewall-services.com
Version
Description
Shared folders are more or less like ibays (I took a lot of code from the ibay module), but with more flexibility on file permissions as it supports ACL. There're also some additional options in the panel.
Requirements
- Min SME Server 7.X
Installation 8.x and 9.x
- install the rpms
yum --enablerepo=smecontribs install smeserver-shared-folders
- Mount your file system(s) with the ACL option
If you use a standard SME server installation:
signal-event post-upgrade; signal-event reboot
should do the trick. If you don't like to reboot your server every time you install something (just like me :)), you can just run:
expand-template /etc/fstab
Check your file system mounted in /home/e-smith/files/ has the acl option, for example:
# This file is edited by fstab-sync - see 'man fstab-sync' for details LABEL=/ / ext3 usrquota,grpquota,acl 1 1 LABEL=/boot /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /dev/shm tmpfs defaults 0 0 none /proc proc defaults 0 0 none /sys sysfs defaults 0 0 LABEL=SWAP-rd/c0d0p3 swap swap defaults 0 0
You may have to manually add the acl option in /etc/fstab if you have mounted another file system here. Once the option is in fstab, you can just remount the partitions, for example:
mount -o remount /
or
mount -o remount /home/e-smith/files
Check everything is ok:
[root@sme ~]# mount /dev/sda2 on / type ext3 (rw,usrquota,grpquota,acl) none on /proc type proc (rw) none on /sys type sysfs (rw) none on /dev/pts type devpts (rw,gid=5,mode=620) usbfs on /proc/bus/usb type usbfs (rw) /dev/rd/c0d0p1 on /boot type ext3 (rw) none on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
Storage
All the shares you create will be stored in /home/e-smith/files/shares/<sharename>/files The latest /files directory is to keep the same structure than ibays. There's no html and cgi-bin directories. You'll never see the "files" directory as the root (for SMB and HTTP) will always be /home/e-smith/files/shares/<sharename>/files.
Screenshots
Features
A lot of options are available in the panel. When you create a new shared folder, or modify an existing one, the page is divided in up to 5 parts (depending on other packages you might have installed like encfs and Pydio):
- The first part let you enter a name and a comment for this shared folder. This part works exactly the same way than ibay. An initial limit of 12 characters exists for the name. You can raise this value with
db configuration set maxShareNameLength 16
- The second part lets you configure access to this shared folder using the SMB/CIFS protocol. There's three drop down menus
- SMB Access lets you configure the type of access: none (no access), enabled and browse-able (enabled, and visible if you browse available shares of the server) or enabled, hidden (enabled, but you need to know the exact name to access it)
- Recycle bin lets you configure a network recycle bin option available in samba. Available options are none (recycle bin is disabled), enabled, keep only the latest version (enable the recycle bin, but only keep the latest version if two file with the same name are deleted), or enabled, keep a copy of all versions (enable the recycle bin and keep a copy of every file deleted). When the recycle bin is enabled, if a user delete a file, instead of removing it from the server, samba will move it the the Recycle Bin directory at the top of the shared folder.
- Recycle Bin Retention: lets you define the retention time of file in the recycle bin. After this period of time, files are deleted.
- The third part lets you configure access to this shared folder using the HTTP/HTTPS protocol. There're also several options:
- Web Access: works like ibays. The only difference is that when a password is required, users have to use their own login/password instead of a global one. Users need at least read access to this share or they won't be allowed. This setting is only for web access, not FTP.
- WebDav Support: Enable webdav on this share. Only effective if Web Access is enabled. Write access with WedDav will always require to login.
- Force secure connections: if enabled, all the requests will be redirected to use the HTTPS protocol. The redirection is transparent. This is highly recommended if a password is required.
- Indexes: Let you control if the server should generate an index of all the files if no index.html file is found. You can disable it if you don't want everyone to have access to the list of files. This setting is global for the shared folder, I mean, if enabled, any directory which doesn't have a index.html file will be indexed.
- Dynamic content execution (PHP, CGI, SSI): this enable the execution of PHP script. If disabled files with php, php3, phtml, cgi or pl as extension won't be allowed. If enabled, you can create a directory named "cgi-bin" in your shared folder. It will allow execution of cgi scripts
Pydio
If you install the Pydio contrib, you'll have a new option displayed in the configuration of the shared folders. With this, you can easily enable the access of any shared folders through Pydio.
Limitations of Pydio
- You cannot work with files bigger than 2GB, this is a limitation of PHP on 32 Bits system
- Files uploaded with Pydio will not be counted for quota limitations (same applies for WebDav uploads). This is because the file will belong to www user, and not the real user.
Encryption
Since smeserver-shared-folders-0.1-50, you can now encrypt all the data stored in a shared folder. For this to work, you first have to install fuse-encfs from the EPEL repository
yum install smeserver-extrarepositories-epel -y
After adding it to the database updating the configuration file is required by issuing:
signal-event yum-modify
To install fuse-encfs on sme8
yum --enablerepo=epel install fuse-encfs
To install fuse-encfs on sme9
yum --enablerepo=smecontribs --enablerepo=epel install fuse-encfs
After installing fuse-encfs, make sure the fuse module is loaded
lsmod | grep fuse
Now, when you create a new shared folder, you have a new option to encrypt the data. You'll have to type a password, and to select enabled for the encryption.
An encrypted shared folders can be "protected" or "enabled" and contains for each state a different corresponding data ( = a shared folder get a data for "enable" and another for "protected"):
- When the share is "protected", you can write to it: files written to the server while the share is protected will not be encrypted, instead, it'll be directly stored into the files folder in the share.
- When the share is "enabled", you mount the .store folder over the files folder, using encfs. When this happens, the cleartext dataset (stored directly in files) will be hidden, and you have access to a second, completely separated data set. The data you write when the share is enabled will be encrypted on the fly, and stored in the .store folder.
- As soon as you "protect" the share (or when the inactivity timeout occurres), the encrypted volume is unmounted, and you get the unencrypted share available again
Changing the state of an encrypted shared folder can be done through the 'Shared Folder Encryption' panel in the server-manager. You can grant access to this panel to all users using the UserManager contrib. Users will only be able to toggle mode of shared folders they have access to (and of course, they need to know the correct password).
Note: If already mounted, Samba looses the access to the shared folder if its status "protected"/"enabled" is modified. Then the share must be umounted and mounted again to get access to the other data set.
Limitations with encryption
Before using encryption on a shared folder, you should be aware of some limitations:
- Encryption is done on the fly in user-space using encfs, accessing data may be a bit slower when encryption is enabled
- Encryption can only be enabled at creation time, it's not possible to encrypt an existing shared folders
- Read Only permission is not supported on encrypted shared folders, only full read/write access is possible (this is a limitation of fuse which doesn't pass ACL permissions). If you set read only access to some groups, it'll just be ignored
- The current implementation doesn't provide any option to change the password from the web GUI. If you want to change the password, you can do so from the command line with the encfsctl utility
- There's NO WAY to recover the data if you forget the password.
Additional options
Some advanced settings are not available on the panel, but only with db commands:
Database | Key | Key type |
---|---|---|
accounts | [name of share] | share |
- Various options
Option | Value | Default | Description |
---|---|---|---|
ManualPermissions | enabled / disabled | disabled | if you set this key to enabled, the permissions will only affect web access (HTTP, WebDav, Pydio), and will not touch the permissions on the file system. This can be used to host web applications with custom permissions. |
Hide | yes / no | no | If set to yes, this share will not be listed in the server-manager |
Removable | yes / no | yes | If set to no, you won't be able to remove this share through the server-manager |
Audit | enabled / disabled | enabled | Enable or disable activity logging in /var/log/messages |
- Options for Web access:
- AllowOverride: You can configure the AllowOverride directive of apache if web access is enabled. See this page for a list of available option
- FollowSymLinks: (enabled|disabled). Should apache follows symlinks ?
- PHPRegisterGlobals: (enabled|disabled). Enable PHP register global for this share.
- PHPAllowUrlFopen: (enabled|disabled). Enable PHP allow_url_fopen for this share.
- PHPMemoryLimit: Set a memory limit for PHP. This limit only apply to this share
- PHPMaxExecutionTime: Set a time execution limit for PHP. This limit only apply to this share
- Options for SMB access:
- cscPolicy: (disabled|manual|documents|programs). Control client-side caching. Don't touch this if you don't know what it means. It can have unexpected behaviour.
- OpLocks: (enabled|disabled). Control the oplocks option of samba (default is enabled)
- VetoOplockFiles: Control the veto oplock files of samba
Example:
db accounts setprop myshare AllowOverride All PHPMemoryLimit 50M PHPMaxExecutionTime 600 signal-event share-modify myshare
Missing features
Even if this contrib brings some new options compared to ibays, some others are missing:
- There's no access using the atalk protocol. I don't have any MAC OS here to test the feature, and anyway newer MAC OS can access SMB shares so I don't think it's a big problem
- there's no support for ShadowCopy. I may add this in the future
- You cannot choose a shared folder as the content of a virtual domain. This is because it'd require a modification of a core package
Backup and Restore
The standard backup process should backup all your shared folders. If you have to restore the data to another server, you'll have to re-install the contrib. Once everything is restored, you'll have to run signal-event share-modify-files for each share, because permissions on shared folders uses extended ACL which are not backed up with most tools. This is not a big problem because ACL are also stored in the accounts DB. The signal-event will just re-apply the configured ACL on the files:
for SHARE in $(db accounts printtype | grep share | cut -d'=' -f1); do signal-event share-modify-files $SHARE done
Uninstall
If you want to remove the contrib, just run:
yum remove smeserver-shared-folders
You need to manually removes files in /home/e-smith/files/shares if you want to remove every shares created. You may also want to edit /etc/fstab to remove the acl option.
Source
The source for this contrib can be found in the smeserver CVS on sourceforge.
Bugs
Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-shared-folders component or use this link
Below is an overview of the current issues for this contrib:
ID | Product | Version | Status | Summary (5 tasks) ⇒ |
---|---|---|---|---|
12252 | SME Contribs | 10.0 | CONFIRMED | move /etc/rc.d/rc7.d/S95rsyncd and /etc/rc.d/init.d/supervise/rsyncd to a systemd unit |
12128 | SME Contribs | 10.0 | CONFIRMED | NFR: add field in panel to select php version |
11525 | SME Contribs | 10.0rc | RESOLVED | add deps for [smeserver-rsyncd] and clean duplicate code |
11048 | SME Contribs | 9.3 | UNCONFIRMED | Public access, no auth |
8859 | SME Contribs | 9.0 | UNCONFIRMED | FEATURE REQUEST: All permission map for the server in a single web form |