10400328-001 02/2011
©2011 Overland Storage, Inc.
W
3-5
SnapServer GuardianOS 6.5 Setup Guide
Configuring Email Notification, Task Scheduling, and Security
• Name the share with a dollar-sign ($) at the end. This is the traditional Windows
method of hiding shares; however, it does not truly hide the share since Windows
clients themselves filter the shares from share lists. Other protocols can still see
dollar-sign shares.
• Hide the share from all protocols (except NFS) by navigating to the
Security > Shares
page, selecting the share, expanding the
Advanced Share Properties
link,
and clicking
the
Hide this Share
check box. When a share is hidden this way, the share is invisible
to clients, and must be explicitly specified to gain access.
Note:
Hidden shares are not hidden from NFS, which cannot access invisible
shares. To hide shares, from NFS, consider disabling NFS access to the
hidden shares.
• Disable individual protocol access to certain shares by navigating to
Security > Shares,
selecting the share, expanding the
Advanced Share Properties
link,
and enabling/
disabling specific protocols.
Directory Permissions
GuardianOS supports two “personalities” of file system security on files and
directories:
•
UNIX:
Traditional UNIX permissions (
rwx
) for owner, group owner, and other.
•
Windows ACLs:
Windows NTFS-style file system permissions.
Windows ACLs fully support the semantics of NTFS ACLs, including configuration,
enforcement, and inheritance models (not including the behavior of some built-in
Windows users and groups). The security personality of a file or directory is
dependent on the security model of the SnapTree or Volume in which the file or
directory exists.
Share Level Permissions
Share-level permissions on GuardianOS are applied cumulatively. For example, if the
user “j_doe” has Read-Only share access and belongs to the group “sales”, which has
Read/Write share access, the result is that the user “j_doe” will have Read/Write share
access.
Note:
Share-level permissions only apply to non-NFS protocols. NFS access is
configured independently by navigating to the
Security > Shares
page and clicking
the appropriate
NFS Access
link in the Shares table.
Where to Place Shares
For security and backup purposes, it is recommended that administrators restrict
access to shares at the root of a volume to administrators only. All SnapServers are
shipped with a default share named
SHARE1
that points to the root of the default
volume
vol0
. The share to the root of the volume should only be used by
administrators as a “door” into the rest of the directory structure so that, in the event
that permissions on a child directory are inadvertently altered to disallow
administrative access, access from the root share is not affected. This also allows one
root share to be targeted when performing backups of the server. If it is necessary to
have the root of the volume accessible, using the Hidden option helps ensure only
those that need access to that share can access it.
SnapTrees
SnapTrees are directories that can be configured for the Windows/Mixed or UNIX
security model. SnapTrees make a specific directory structure follow the rules of the