Synology shared folder permission without ACL

I need your help about permissions on a shared folder in our NAS.

I've created User1, User2, User3 and they all belong to the group "Users".

I've created folders:
\\synology1\users (can't really make any user to be the owner of a share, but i've set the right to "Users" to Read/Write in it)
\\synology1\users\User1 (Owner: User1/Users, rights: RWX------)
\\synology1\users\User2 (Owner: User2/Users, rights: RWX------)

I want User1 to be able to read & write to User1 folder, but no access at all to User2.  I also don't want him to be able to create folders/files in \\synology1\users.  But with this setup, User1 is allowed to write in it.  And if i set the shared folder permissions of User1 to "Read Only", then he can't even write in his own folder.

Can you explain me what is the part i misunderstand?  And what should i change to make it working like i want?


Note: All the computer accessing the drive are on Windows.
LVL 10
Christian de BellefeuilleProgrammerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gerwin Jansen, EE MVETopic Advisor Commented:
Hi, what goal do you have for the \\synology1\users folder? If user1 is not allowed to write in \\synology1\users then who will?

Reason both user1 and user2 are able to write to folder \\synology1\users is that they belong to the users group, which has rw rights in that folder.

You could set things up like this:

\\synology1\users (all users rwx rights)
\\synology1\user1 (user1 rwx rights)
\\synology1\user2 (user2 rwx rights)

That way each user has it's own 'home' folder and a shared folder (users) that all users can use to 'share' files.
Christian de BellefeuilleProgrammerAuthor Commented:
The admin will create folders in \\synology1\users.   I don't want to get that folder filled with crap just because a user don't know how to use it.  

So what you suggest is to let them be able to write in \\synology1\users?  That's exactly what i want to avoid.

I'm not familiar with Linux permissions...

I thought that there was some inheritance.  Am i wrong?

So if for example, i set Read Only to \\synology1\users for everyone, and set RWX to User1 for \\synology1\users\user1, then i would end up with RWX for user1 folder, and have only R for \\synology1\users.   But it seems i'm wrong...
Sudeep SharmaTechnical DesignerCommented:
Which Synology NAS are you using and what is version of firmware it is running?

Further where are the users and the group created? On NAS as local users or on AD?

Webinar: What were the top threats in Q2 2018?

Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that describes and analyzes the top threat trends impacting companies around the world. Are you ready to learn more about the top threats of Q2 2018? Register for our Sept. 26th webinar to learn more!

Christian de BellefeuilleProgrammerAuthor Commented:
It's a DS-213, it's running on the latest firmware (DSM 4.3-3776).

The users & groups are created on the NAS, it's not on an AD.

There's other users, but they are not involved in this situation.  I've not set "NO ACCESS" to this folder to anyone...

As i said, the problem might come from my asumptions about "How Linux Permissions Works".   I've another folder that i've setuped using ACL, and it's working just fine.

I really want to understand how it work without ACL to understand Linux better.
Sudeep SharmaTechnical DesignerCommented:
I think it has nothing to do with the Linux permission but how Windows handles the network permissions.

For example you could not map the same network drive with two different username and passwords. Let say you NAS IP you could only share it with one User's credentials whether there are two folder in it or three all should have same password else it would not let you access it with another users password unless you disconnect the mapped drive and clear the cache passwords from the system.

Christian de BellefeuilleProgrammerAuthor Commented:
Ok.  I've done a NET USE /DELETE * prior to map any network drive.

With ACL, i can change permissions to files/folders and these changes seems to apply immediately on User1 computer.   I guess it's the same without ACL too, but i'm not sure.  I would guess on a pure linux machine (Ubuntu for ex) that i would have to restart the Samba Service, but the NAS must be wise enough to restard & reload its new config.  But does Windows get advised of that change?  I don't know...
Maybe I'm not understanding the confusion.

Your basic error, I think, is that you have given users the ability to read and write "users".
You don't need to do that, and shouldn't.  Each user should have the ability only to read and write his own directory under users.

As I understand it, you have


You want each user to be able to read and write in their own folder, but not in any other.

So you could do permissions as:

users RWX--X--X
users/User1 RWX------
users/User2 RWX------
users/User3 RWX------  

This way, EVERYONE can list the files/folders in users (but nobody can read, create, or change them except the owner of users, which is presumably the admin).

Each of User1, User2 and User3 can read, write and list the files in his own folder, but not the other two, assuming User1 is the owner of the directory User1, User2 is the owner of the directory User2 and User3 is the owner of the directory User3.

If the owners are wrong, the admin would use the chown command to change the owners.

If your users can currently read/write the users folder, then the users folder's permissions must be something like


(The first three positions describe what the OWNER can do in that folder; the second three describe what persons in the same group can do in that folder; the third three describe what persons outside that group can do in that folder.)
You probably should just use the default 'homes' setup.  This automatically creates a directory for each user.  When a user maps or browses to '\\synology1\home',  it will automatically go to the logged in users network space and permissions are set.

If you look in the Synology Control Panel -> Users ->User Home button which pops up a window to allow you to turn homes on or off and also enable/disable recycle bins for the user's shares.

Then when you log into the Synology File Station as admin you will see the homes folder which contains all of the users directories - but no user will see the homes directory,  only their own folder.

The file service does not need to be restarted,  the changes will turn up right away.  I actually checked this by turning permissions on and off on a directory,  it appeared/disappeared on a win7 station you may need to refresh,  i'm not sure how long it is to automatically show.  In any case if access is turned off to something that was being looked at it will error out and not let you make changes.

If you make a change and nothing appears to change double check the groups that a user is in or that the share allows.  The priority order is no access > read/write > read only,  so if a user has read/write in one group and you have given the user read only directly,  he will still have read/write through the group permission.  Similarly if you give a group access to a share but a user has no access set for that share,  he would still have no access.  

I would recommend using the homes setup or creating the shares for each user directly by name.  

There are really 3 things at play here,  the Linux file permissions,  the Samba share permissions and how Synology has configured Samba  (aka Windows File Service on a Synology unit).

To put it as simply as I can think of - when you share something through Samba,  both the filesystem permissions AND the Samba share settings need to allow it.  So if you give read only on a file but you have given read/write on the share,  a windows client will still be read only.

Also there is inheritance,  though Samba does have settings for how it will be applied.  On the Synology units it seems everything defaults to wide open permissions.  So any new file or directory created will have the owner set the user as expected,  but the group is always set to 'users' with full access and everybody is also given full access.  You can change these using the File Station GUI.

So you need to assign read/write to the 'Users' share (this is the Samba setting) then through File Station set the 'User1', 'User2', etc directories up with permissions to only allow the specific user read/write and all others to no access (these are linux file permission settings).  Probably best to set the owner to the user1 and uncheck all group and other permissions.   Also I would suggest setting the 'hide folders and files from users without permissions' check on the share so users only see what they have access to.  

The issue with this  is we set the 'Users' share up as read/write and Synology has set the actual directory permissions on the share to wide open,  any user can create files directly in the 'User' share where you don't want them to.  This can be changed through the console by logging in as root and changing permissions on the share's directory to read only and execute for 'Others'.  Leave the owner and group root setting alone.  

The second issue I have is that if a user browses to 'Users' they can then simply delete any directory they have access to.  The actual directory will stay though it may disappear in windows for a little while, but the contents are gone - just del key and one click.  Not the end of the world if the recycling bin is enabled for the share but still annoying.  This a difference how windows handles a share vs a directory,  you cannot just delete a share they would have to actually select all the contents first.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.