CHMOD now working

typhonragewind · Jul 31, 2019

Hello everyone!

I'm still fairly new to freenas and UNIX systems in general, so please bear with me.

I've recently tried to create some scripts for use in my jails but i found that i could not execute them (because I didn't have the permissions, as I found later). I tried to solve this by doing a chmod -x on the script file in question, but it had the output: Operation not permitted.

After some investigating i found it was because of ACL permissions that were set when i created the datasets.
I also found a possible suggestion to fix this, which is the following command:

setfacl -b /mnt/Vol1/ zfs set aclmode=passthrough pool/dataset && rm /mnt/Vol1/.windows

Is it an alright solution? I don't want to mess around with permissions without knowing for sure that I won't drive myself into a corner and lose data.

anodos · Aug 1, 2019

typhonragewind said:
Hello everyone!

I'm still fairly new to freenas and UNIX systems in general, so please bear with me.

I've recently tried to create some scripts for use in my jails but i found that i could not execute them (because I didn't have the permissions, as I found later). I tried to solve this by doing a chmod -x on the script file in question, but it had the output: Operation not permitted.

After some investigating i found it was because of ACL permissions that were set when i created the datasets.
I also found a possible suggestion to fix this, which is the following command:

setfacl -b /mnt/Vol1/ zfs set aclmode=passthrough pool/dataset && rm /mnt/Vol1/.windows

Is it an all right solution? I don't want to mess around with permissions without knowing for sure that I won't drive myself into a corner and lose data.

1) If it's an SMB share, you should probably leave the aclmode as restricted. In general, it's better to create a separate dataset for your share (for instance, /mnt/Vol1/SMB). This will keep /mnt/Vol1 with the aclmode set to "passthrough".

2) You can also grant the user (or group) that should be executing the script, execute permissions using setfacl. The way to do this is to run the command: setfacl -m u:<username>:rxaRc::allow /mnt/Vol1/my_script.sh

typhonragewind · Aug 1, 2019

anodos said:
1) If it's an SMB share, you should probably leave the aclmode as restricted. In general, it's better to create a separate dataset for your share (for instance, /mnt/Vol1/SMB). This will keep /mnt/Vol1 with the aclmode set to "passthrough".

2) You can also grant the user (or group) that should be executing the script, execute permissions using setfacl. The way to do this is to run the command: setfacl -m u:<username>:rxaRc::allow /mnt/Vol1/my_script.sh

1) I have two separate pools. One that live in an SSD that is used to store jails and the other just for data on regular REDS. I defined a dataset on the storage pool as SMB share, but i can still access the jails pools through windows - maybe some misconfiguration on my part ?

2) I couldn't even do chmod as root, do I actually have to grant root this permission?

Thank you!

anodos · Aug 1, 2019

typhonragewind said:
1) I have two separate pools. One that live in an SSD that is used to store jails and the other just for data on regular REDS. I defined a dataset on the storage pool as SMB share, but i can still access the jails pools through windows - maybe some misconfiguration on my part ?

double-check your share path.

2) I couldn't even do chmod as root, do I actually have to grant root this permission?

chmod is basically disabled by default on SMB shares. In this case the correct tool to use is setfacl. In 11.3 we will have an ACL editor, which will make managing these things easier.

typhonragewind · Aug 1, 2019

anodos said:
double-check your share path.

chmod is basically disabled by default on SMB shares. In this case the correct tool to use is setfacl. In 11.3 we will have an ACL editor, which will make managing these things easier.

Alright, will check everything when i get home, thank you :)

tfran1990 · Aug 1, 2019

anodos said:
11.3 we will have an ACL editor

Is this the "easy mode" that has been mentioned for setting windows permissions?

anodos · Aug 1, 2019

tfran1990 said:
Is this the "easy mode" that has been mentioned for setting windows permissions?

It's the server-side option. I'm mostly only working on the middleware component of it (not GUI implementation). Eventually we'll have template ACLs that can be selected. Additionally, I've made the API so that it can accept "BASIC" permissions and inheritance flags types. So 'perms': {'BASIC': 'FULL_CONTROL'}, 'flags': {'BASIC': 'INHERIT'} would be the same as `rwxpDdaARWcCos:fd-----`

There will always be some complexity to ACLs, but through templates and giving simpler options we're hoping to make this much more user-friendly.

typhonragewind · Aug 2, 2019

anodos said:
It's the server-side option. I'm mostly only working on the middleware component of it (not GUI implementation). Eventually we'll have template ACLs that can be selected. Additionally, I've made the API so that it can accept "BASIC" permissions and inheritance flags types. So 'perms': {'BASIC': 'FULL_CONTROL'}, 'flags': {'BASIC': 'INHERIT'} would be the same as `rwxpDdaARWcCos:fd-----`

There will always be some complexity to ACLs, but through templates and giving simpler options we're hoping to make this much more user-friendly.

The setfacl worked wonderfully!
Thank you for showing me the solution and teaching me something so useful along the way!

Important Announcement for The TrueNAS Community.

CHMOD now working

typhonragewind

Dabbler

anodos

Sambassador

typhonragewind

Dabbler

anodos

Sambassador

typhonragewind

Dabbler

tfran1990

Patron

anodos

Sambassador

typhonragewind

Dabbler

Similar threads