acces only with "root", regardless of permissions setting in the dataset

ddaenen1

Patron
Joined
Nov 25, 2019
Messages
318
i am puzzled on this one. It appears that regardless of which user permissions i set in a dataset, i can only access it with the root UID and password. I have a pool created a pool, of which the parent dataset is named "Data". The permission UID of this pool is "root". If i create another dataset named "backup" and set permissions to "user1", i would assume that you can only access the backup dataset using the "user1" credentials, correct? Fact is that i cannot but i can with "root". Am I doing something wrong?
 
Last edited:

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
i am puzzled on this one. It appears that regardless of which user permissions i set in a dataset, i can only access it with the root UID and password. I have a pool created a pool, of which the parent datser is named "Data". The permission UID of this pool is "root". If i create another dataset named "backup" and set permissions to "user1", i would assume that you can only access the backup dataset using the "user1" credentials, correct? Fact is that i cannot but i can with "root". Am I doing something wrong?
If you don't grant permissions that grant "user1" execute on /mnt/Data, then he won't be able to access /mnt/Data/backup.
 

ddaenen1

Patron
Joined
Nov 25, 2019
Messages
318
Hello, can you educate me a bit more on how to do this? An example would be great.

Here is the specific details:

This is the pool and data sets

1579077318061.png


The pool structure:
- The permission of "Data" is set to "root"
- The permission of Fileshare" is set to "ddaenen1"
- The permission of " Backup" is set to "synology"
- The permission of "time-machine" is set to "time_machine"

accounts set up:
- UID "root" / group "wheel"
- UID "ddaenen1" / group "ddaenen1"
- UID "synology" / group "synology"
- UID "time_machine" / group "time_machine"

so, currently i can access all datasets with "root" but none with their own set permission. what am i doing wrong?
 
Last edited:

ddaenen1

Patron
Joined
Nov 25, 2019
Messages
318
I have spent a large amount of time on Friday trying to figure out where my set up is wrong, read up on the SMB permissions and tried different settings but for some reason, i can't get this resolved. No matter what i do, it always ends up either access with root or no access at all.

I am starting to think i have the whole concept around dataset permissions and folder access rights completely wrong. All i really want is that the datasets can only be accessed with the assigned permissions but it just doesn't seem to work. Same for the "Fileshare" and "time-machine" shares i have set up.

If you don't grant permissions that grant "user1" execute on /mnt/Data, then he won't be able to access /mnt/Data/backup.

I do have one question on your statement: can i set multiple permissions on /mnt/data? Currently, it is at "root/wheel". So do i need to at "user1" to the "wheel" group or what is the right way?
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
@ddaenen1 It might help to have this comparison. In this example the pool name is "Tpool" mounted at "/mnt/Tpool" with "root:wheel" as the owner/group. The default settings show "x" for "execute" for everyone on directory "Tpool" , meaning everyone can transverse to the next level down.

Code:
root@freenas[~]# zpool list    
NAME           SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP  HEALTH  ALTROOT
Tpool         17.5G   266M  17.2G        -         -     0%     1%  1.00x  ONLINE  /mnt
freenas-boot  9.50G  2.81G  6.69G        -         -      -    29%  1.00x  ONLINE  -
root@freenas[~]# ls -l /mnt/    
total 13
-rw-r--r--   1 root  wheel   5 Jan  1 09:19 md_size
drwxr-xr-x  10 root  wheel  10 Jan 18 16:10 Tpool
root@freenas[~]# getfacl /mnt/Tpool
# file: /mnt/Tpool
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow
root@freenas[~]#


You wouldn't normally want, or need, to change the perms/ACL on your top level dataset ( "Data" in your case) in fact the upcoming FN11.3 prevents the user from doing this via the GUI:
top_level1.jpeg
 
Last edited:

ddaenen1

Patron
Joined
Nov 25, 2019
Messages
318
@ddaenen1 It might help to have this comparison. In this example the pool name is "Tpool" mounted at "/mnt/Tpool" with "root:wheel" as the owner/group. The default settings show "x" for "execute" for everyone on directory "Tpool" , meaning everyone can transverse to the next level down.

Code:
root@freenas[~]# zpool list    
NAME           SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP  HEALTH  ALTROOT
Tpool         17.5G   266M  17.2G        -         -     0%     1%  1.00x  ONLINE  /mnt
freenas-boot  9.50G  2.81G  6.69G        -         -      -    29%  1.00x  ONLINE  -
root@freenas[~]# ls -l /mnt/    
total 13
-rw-r--r--   1 root  wheel   5 Jan  1 09:19 md_size
drwxr-xr-x  10 root  wheel  10 Jan 18 16:10 Tpool
root@freenas[~]# getfacl /mnt/Tpool
# file: /mnt/Tpool
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow
root@freenas[~]#

Interesting: mine looks like this:

Code:
root@FreeNAS-L3426[~]# getfacl /mnt/Data
# file: /mnt/Data
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:--------------:fd-----:allow
root@FreeNAS-L3426[~]#


So is this standard?
 

ddaenen1

Patron
Joined
Nov 25, 2019
Messages
318
and using the guideline, i turned it into this:

Code:
root@FreeNAS-L3426[~]# getfacl /mnt/Data                           
# file: /mnt/Data
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fd-----:allow
root@FreeNAS-L3426[~]# 


So now i should be able to use the permissions set for the datasets below, correct?
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
Yes, but see the late edit to my first reply re: not changing the default perms/ACL on the top level dataset.
 

ddaenen1

Patron
Joined
Nov 25, 2019
Messages
318
Yes, but see the late edit to my first reply re: not changing the default perms/ACL on the top level dataset.

So, if i don't change the ACL op the top level, then what is the point of having different permissions for the datasets below if you cannot access them using those permissions?
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
You ended up with "windows share type" perms/ACL on your top level dataset - by choice or accident perhaps - hence you needed to make that change with setfacl in order to access dataset "Backup", etc.

If you choose not to create a SMB share of the top level dataset (why would you do this?), or otherwise change its perms/ACL, then the default perms/ACL on the toplevel dataset is "unix type" and allows everyone to traveres to the next lower level.
 

ddaenen1

Patron
Joined
Nov 25, 2019
Messages
318
You ended up with "windows share type" perms/ACL on your top level dataset - by choice or accident perhaps - hence you needed to make that change with setfacl in order to access dataset "Backup", etc.

If you choose not to create a SMB share of the top level dataset (why would you do this?), or otherwise change its perms/ACL, then the default perms/ACL on the toplevel dataset is "unix type" and allows everyone to traveres to the next lower level.

I think you have hit the spot there. I did indeed notice that the top-level was a windows share but i cannot recall if i configured it that way or it was default. In any case, i did change it to Unix but i guess that didn't change anything to the perms/ACL retroactively.
 
Top