I wanted a secure way to share my datasets on FreeNAS.
Table of contents
- SMB Shares
- Different users & groups
Open up your FreeNAS gui > Jails > ADD.
Select an appropriate jail name.
Add your different mount points and make sure to make them read only.
Log in to your FreeNAS through SSH, e.g.
poco:~ loco$ ssh -l root 172.16.58.71 email@example.com's password: root@freenas:~ #
List available jails.
root@freenas:/mnt/Breaking/TV Shows # iocage list +-----+----------------+-------+--------------+------+ | JID | NAME | STATE | RELEASE | IP4 | +=====+================+=======+==============+======+ | 10 | SFTPman | up | 11.3-RELEASE | DHCP | +-----+----------------+-------+--------------+------+
Log in to your actual jail and update && upgrade:
root@freenas:~ # iocage console SFTPman root@SFTPman:~ # pkg update && pkg upgrade Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. Checking for upgrades (1 candidates): 100% Processing candidates (1 candidates): 100% Checking integrity... done (0 conflicting) Your packages are up to date. root@SFTPman:~ #
When inside of the jail, edit
# Enable SSH daemon sshd_enable="YES"
root@SFTPman:~ # vi /etc/rc.conf
PS: Check out http://www.atmos.albany.edu/daes/atmclasses/atm350/vi_cheat_sheet.pdf if you are unsure how to use the
Make a group called
root@SFTPman:~ # pw groupadd sftponly
sshd_config file and add these lines of code at the bottom:
root@SFTPman:~ # vi /etc/ssh/sshd_config # SFTP settings Match Group sftponly ChrootDirectory /mnt/ X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
Add a new user which is only used for SFTP access.
root@SFTPman:~ # adduser Username: sftpuser1 Full name: SFTP User No 1 Uid (Leave empty for default): 1099 Login group [sftpuser1]: sftponly Login group is sftponly. Invite sftpuser1 into other groups? : Login class [default]: Shell (sh csh tcsh git-shell nologin) [sh]: nologin Home directory [/home/sftpuser1]: Home directory permissions (Leave empty for default): Use password-based authentication? [yes]: Use an empty password? (yes/no) [no]: Use a random password? (yes/no) [no]: Enter password: Enter password again: Lock out the account after creation? [no]: Username : sftpuser1 Password : ***** Full Name : SFTP User No 1 Uid : 1099 Class : Groups : sftponly Home : /home/sftpuser1 Home Mode : Shell : /bin/sh Locked : no OK? (yes/no): yes adduser: INFO: Successfully added (sftpuser1) to the user database. Add another user? (yes/no): no Goodbye!
Back in FreeNAS gui, select your jail and add a mount point as read-only (if you do not want users to be able to write to the dataset, then). Or just have confidence in your permissions management :) Read on.. .
Find out what your ip address of the jail is.
root@SFTPman:~ # ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: lo epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether ac:dd:20:2a:cc:08 hwaddr 02:07:10:00:13:0b inet 172.16.58.76 netmask 0xffffff00 broadcast 172.16.58.112 nd6 options=1<PERFORMNUD> media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) status: active groups: epair root@SFTPman:~ #
Start the ssh daemon on the jail.
root@SFTPman:~ # /etc/rc.d/sshd start
Open up a new terminal window and verify that you are unable to log in with ssh from our user
poco:~ loco$ ssh -l sftpuser 172.16.58.76 Password for sfpuser1@SFTPman: This service allows sftp connections only.
Check if you can log in with an SFTP application, I tried FileZilla. There you’ll see that you are able to log in, but you are unable to navigate in the file hierarchy. That is because the created user does not have any permissions to read folders which is mounted. Neither does the group of which the user belongs to (sftponly).
/mnt and do an
ls -alh to see the UID:GID.
root@SFTPman:~ # cd /mnt/ root@SFTPman:/mnt # ls -alh total 306 drwxr-xr-x 4 root wheel 4B Sep 12 13:45 . drwxr-xr-x 17 root wheel 22B Sep 12 13:41 .. drwxrwx---+ 803 1000 1002 820B Sep 12 01:01 Files root@SFTPman:~ #
Here we see that the user which has UID 1000 is the owner, and the group owner is a group with GID 1002 of the folder called
Files. Guest users does not have any access at all. But are there any other groups or users that have access to this mount point?
getfacl to get the files/folders acces control lists.
root@SFTPman:/mnt # getfacl Files/ # file: Files/ # owner: 1000 # group: 1002 group@:rwxpDdaARWc---:fd-----:allow group:1006:r-x---a-R-c---:fd-----:allow group:1050:r-x---a-R-c---:fd-----:allow group:1070:rwxp-daARWc---:fd-----:allow user:922:rwxpD-aARWc---:fd-----:allow owner@:rwxpDdaARWcCo-:fd-----:allow root@Radarr:/mnt #
What we are interested in, is to use one of the groups
group:1050 which has read and execute access of the folder. Because this is only for accessing and reading the files in the
/mnt/Files/ folder. If I would like to have the
sftpuser1 to be able to write to this mount point, I would have in the following section proceeded with creating a group on the jail with GID 922 or 1002 and added
sftpuser1 in that group.
List the groups that our user
sftpuser1 currently belongs to.
root@SFTPman:/mnt # groups sftpuser1 sftponly
We want to make our user a member of the group which has GID 1006. But which group has the GID of 1002?
Check in FreeNAS gui > Accounts > Groups. In my case, the group
Filesgroup_ro was the group with GID 1006.
In our jail, we have to create the group with a GID of 1006.
root@SFTPman:/mnt # pw groupadd Filesgroup_ro -g 1006
Then put our user
sftpuser1 in the group which we want the user to belong to.
root@SFTPman:/mnt # pw usermod sftpuser1 -G sftponly,Filesgroup_ro
Now which groups does
sftpuser1 belong to?
root@SFTPman:/mnt # groups sftpuser1 sftponly Filesgroup_ro
Back in FileZilla, disconnect and reconnect- you’ll se that the folders now are listed (right click and choose Refresh).
Now you just have to repeat for whatever folders you would like the users to connect to.
As the owner of the mount point, which should be the same owner as listed in SMB services, map a network drive.
Drive: X Folder: \freenas\Files Reconnect at logon (uncheck) Connect using different credentials (check)
Username: username-as-in-owner Password: password Press OK.
Right-click on the drive and select Properties and then the fane Security. Press Edit, choose “Add..”. Under “Enter the object name to select”, you write ‘FREENAS\Filesgroup_ro’ and click ‘Check names’. Then this should fly right through, click OK. Let the be a checkmark next to ‘Read & execute’, ‘List folder contents’ and ‘Read’. Press Apply.
Then you’ll have the group ‘Filesgroup_ro’ with sufficient permissions for our user
sftpuser to download files via a secure SFTP connection.