Intended Audience
This post may be of interest if you want to give end users the ability to recover lost files by giving them read access to their own backed up data.
Assumptions
- The reader has been redirected here from this post.
- The steps in this post are executed from a Windows 10 PC. For an earlier Windows 7 version of this post refer here.
Background
In a recently updated post on setting up Resilio Sync on FreeNAS, a third party was responsible for recovering end user data. Is it possible to get rid of the middle man and have end users responsible for recovering their own data? It certainly is!
There is a little extra work that the system administrator will have to do to set this up, but the longer term benefits are substantial. The result is that end users will be able to restore their own data without referring to a higher authority.
Overview
The key is to set up permissions for the backup repository such that the following objectives are met:
- End users should only be able to see their own data.
- End users may read their own data in the backup repository, but not modify or delete it.
- System administrators have full access to the backup repository.
- Resilio Sync is the owner of the backup repository.
To achieve the desired goal, step 5 in the original post is replaced with the following steps:
Step 5A: Adjust permissions on the backup share.
Step 5B: Give end users read access to their own data within the backup share.
Step 5A: Adjust permissions on the backup share.
Adjust share permissions such that only FreeNAS users (in this case belonging to the group freenas) have read access to the backup share. Also, allow system administrators to have full access to the share.
Step 5B: Give end users read access to their own data within the backup share.
In the example below, directories have been set up for each user in the backup share. Selective backups of devices that each user owns will be kept in the relevant user directory.
Directory permissions are now adjusted so that the end users can read their own data. Using Basil as an example:
Notice that permissions have been inherited from the share. This has to be altered so that only user basil should be able to view backed up data in directory Basil. To achieve this, it’s necessary to remove read access to that directory for other users by removing the group freenas and granting basil read access.
Use the Edit button to add user basil with read access.
Attempting to remove freenas throws up the following error:
Exit this screen and then click OK to allow permissions for basil to propagate through the directory tree.
When permission propagation is complete, click the Advanced button.
Next, click the Disable inheritance button. The dialogue box below appears.
Click on Convert inherited permissions into explicit permissions on this object. You will be returned to the previous screen. Highlight the freenas entry and click Remove.
Click OK to allow security information to be propagated through the directory tree. Once complete, you will be returned to the Properties dialogue box.
Repeat step 5B for each top-level user directory in the backup share.
System administrators still have full visibility of all directories in the backup share. However, when the backup share is viewed by an end user, say basil, only the directory Basil, its subdirectories and files contained within will be visible. User basil will be able to restore files from the directory Basil, but will not be able to delete files in the backup location.
References
Comments