I have a home-media fileserver, to which I have connected a new user on Ubuntu 20.04 (via Samba). The file-server is a micro-PC doing the job of a NAS.
The new user is aged 9 and would like read permissions to a couple of folders of kids' videos, her own files, etc. I could just make her a local copy of them, but it would be nicer to find some way of limiting the access from the guest-side rather than on the server.
I'm interested in leaving the user with root permissions to the samba share but apparently-limiting it some other way in the UI
Is there an intentionally-hamstrung / read-only filemanager I can install that doesn't have any ability to delete or change files? Or which can use an internal allowed or disallowed lists of folder locations, without reference to the user's permissions?
Is it (likely to be) possible to remove the -rm and -mv commands from Thunar's capabilities? e.g. custom actions could be used to disable the 'delete' key (and it isn't in the menus) but there is still the ability to navigate around on the fileserver. In this case the "parent" directory literally is the parent's directory
Is there any parental controls-type utility that can restrict File Managers as well as, or instead of, Internet access?
As an alternative to 1. this is only for playing media, so is there any client-only "Video Jukebox" application that can't move/rename/delete?
Also as an alternative to 1. I could potentially set up a media server application on the fileserver, round the side of Samba - but this doesn't seem like it would be simple with the packages available to Puppy Linux
===
People often say "children find ways round these things", but this involves a bunch of assumptions about ability levels - remember my workaround is to make a local copy
thanks xx Catty
I've found a solution using Samba permissions, but would still like to know if there are any client-side approaches. (I've never heard of any, but who knows).
In my situation where there is an existing+working NAS-like fileserver sharing an external NTFS filesystem, where no user permissions have ever been set from within Windows, running a Samba Server, and an Ubuntu client PC with a grown-up user ("adultname") and a child user ("childname")...
The Samba NAS-box needs the capability to add the child's Ubuntu username as a user. E.g. via 'adduser childname'
the child's username is added to the server, but can't (easily) be used to set any acl/Linux file permissions on an NTFS disk, I just needed it to be there for Samba
On the server once the user has been created, they must be added to Samba and also enabled on Samba. The commands for this were 'smbpasswd -a childname' and then 'smbpasswd -e childname'.
so long as they worked okay before adding the child user (there are lots of guides), the /etc/fstab line the server uses to mount its HDD are not so important and can be left the same
the /etc/fstab line the client uses to mount the Samba share are also not so important, there is no need to add new settings for acl, or fmask= and dmask=, or file_mode= and folder_mode=, or for any additional credentials file to be created
there is no need to try and create a user mapping file to enable acl/POSIX file permissions on the ntfs disk (this might be possible as an approach)
in their respective etc/fstab files the server can use ntfs as the filetype but the client must use cifs if it is to automount
on the shared HDD it is best not to keep the child user's folder inside the adult user's folder, or for the adult's folder to be the root of the drive (in my case I couldn't easily avoid these things)
the simple kind of permissions needed for adding a child user with no write access and limited read access can be managed inside Samba by editing smb.conf
in smb.conf the global settings needed to have this line added:-
browseable = no
in smb.conf the entry for the adult user's share needed to have these lines added:-
read list = root adultsname childsname
write list = root adultsname
in the above, although it is counterintuitive, the child's username must be on the read list of the adult's samba share, since their folder is inside it and the permissions don't simply "traverse" to let them read their share without also being able to read the folder above
setting browseable = no isn't secure like removing the acl/POSIX file permissions from that user for those files, but in this case it's good enough
in smb.conf, the entry for the child user's share needed to have these lines added:-
read list = root adultsname childsname
write list = root adultsname
in my case the above changes didn't affect local Windows PCs accessing the shares
Other approaches might have been to make local copies of all the files for the child user, or to reformat the shared hdd as ext4 and organize the folder layout differently - but I found this way preferable, it does what I wanted, and it's using Samba's access control short of acl
If I have made any errors I would be grateful to know. If there is a simpler way of limiting a user within the Ubuntu UI that would be useful too (as it can't hurt to add such things on top if they are there).