MineOS permissions discrepancy. Cannot write files to server.

[mike360x1]

Hi,

So, I've been having a major headache with this MineOS plugin. My current situation is that I cannot write/modify files belonging to the plugin, and if I do change permissions, the MineOS is no longer shows that server on its available server list.

I currently have the server files linked to a "Programs" dataset so I can easily attach that to a share and modify (without exposing the whole jail dataset). I checked the permissions using the security tab in properties on windows and the names match. I also went into the shell and ran a ls -l to check permissions too. That checked out.

Code:

drwxrwxr-x 4 minecraft minecraft 14 Jun 28 23:49 TankBlocks
drwxrwx--- 4 minecraft 1001 14 Jun 28 23:55 TankBoxCraft
drwxrwx--- 4 minecraft 1001 14 Jun 28 17:55 TestCraft

The first directory is the one created by MineOS. The other two are created by me. Exported from another server.
So, the auto generated directory has a group with the name "minecraft". The other two are "1001" made by me. Even then, as long as the owner is the same, there shouldn't be any problems right?

I have done my research and I have searched on the thread to find a similar issue but with no success.

Thank you for taking the time to read what I have to say.

I will be grateful if you can help me out ,

Michael L.

 

[mike360x1]

[Deleting an irrelevant post]

 

[Joshua Parker Ruehlig]

server files that mineos uses, should be writable by the user you have running a server. this is the user you login to the mineos webui with, by default mcserver, UID=199
did you create that 'minecraft' user? that wouldnt exist in the jail by default.

assuming you're trying to run your server using that Minecraft user, there should not be a problem. are you experiencing any problems?

 

[mike360x1]

server files that mineos uses, should be writable by the user you have running a server. this is the user you login to the mineos webui with, by default mcserver, UID=199
did you create that 'minecraft' user? that wouldnt exist in the jail by default.

assuming you're trying to run your server using that Minecraft user, there should not be a problem. are you experiencing any problems?

So, What I did was create a user via jail shell named "minecraft" and had its UID set to 198. I also did the same thing on my FreeNAS portion. I then proceeded to change all permissions recursively for the "Programs" dataset ( to owner: "minecraft" ofc).

Needless to say, I also tried the same procedure with the user account already provided by MineOS which was "mcserver" (UID = 199).

At the moment, I cannot write/change the files created by MineOS. And rewriting the permissions of the whole "Programs" dataset (recursively), using GUI permissions just makes that server unavailable to MineOS. I'm assuming the reason is because the permissions don't match up.

In the output for ls -l above, the permissions of the files don't match up. But the only difference is that there is no read and execute permissions for the server files created by MineOS.

Is there any other user parameter that needs to be identical? IE: name, password, home directory, etc.

 

[Joshua Parker Ruehlig]

No nothing, even username/group mapping need to be identical. The jail and host both see the file, it permission levels, and UID/GID owner. They then govern access accordingly.

Think of every scenario where a process modifies a file, from its particular OS's perspective.
From the jail's perspective, those files are owned by minecraft, when I assume you created that server using the mcserver account. mcserver can't write to those files because it isn't minecraft, and isn't in the group, in the jail that owns those files.

What method are you using to write files? If it's CIFS here's what I would do.
* Have mcserver/UID 199 own the files.
* Create a user in your FreeNAS WebUI with UID 199
* In your CIFS share map writes to that share to that user with the 'Auxiliary Parameters' "force user = USER"

 

[mike360x1]

No nothing, even username/group mapping need to be identical. The jail and host both see the file, it permission levels, and UID/GID owner. They then govern access accordingly.

Think of every scenario where a process modifies a file, from its particular OS's perspective.
From the jail's perspective, those files are owned by minecraft, when I assume you created that server using the mcserver account. mcserver can't write to those files because it isn't minecraft, and isn't in the group, in the jail that owns those files.

What method are you using to write files? If it's CIFS here's what I would do.
* Have mcserver/UID 199 own the files.
* Create a user in your FreeNAS WebUI with UID 199
* In your CIFS share map writes to that share to that user with the 'Auxiliary Parameters' "force user = USER"

First, I'm grateful for your reply :),

All the minecraft server files mentioned, were created by the user "minecraft" so there shouldn't be an issue there.

Strange enough, I created a new dataset in my pool and reassigned storage to that. So far it seems to be working. In that dataset, I will consider using the aux parameter you mentioned.

Upon further inspection, I realize part of the cause, the files written by MineOS have the R/W permissions for Owner but only read for group and same for everyone. But that Read permission allows me to rename files/folders, delete files/folders, It does not allow me to replace files nor does it allow me modify files.

Moreover, on a related note: I tried setting up a Syncthing Plugin and Storage using the same method with matching users: Owner: syncthing, Group: syncthing: UID: 983 . I then added the group syncthing to my user that I use to access the CIFS share. (Called: Michael). So I then try accessing that Storage and all permissions are denied. Even reading the storage is prohibited. I am now so confused. and I don't know what to believe.

MineOS storage is set to User:minecraft Group: minecraft
Syncthing storage is set to User: syncthing Group: syncthing
And both Groups: minecraft + syncthing are added as AUX group to the User: "Michael" . But, I can't view Syncthing storage at all, and I can only read and delete in MineOS storage.

I assume the read/delete permissions of MineOS storage comes from its "Everyone" permission, however Syncthing Storage doesn't allow "Everyone".
So, Adding AUX user is not working out for me. (Note: I also reapplied permissions again via GUI without allowing "Everyone" but still can access the MineOS share)

I don't understand. Is there something about Aux Groups that I am misunderstanding? Does the MineOS somehow ignore me when I attempt to rewrite its file permissions using GUI?
I apologize if there is frustration in my words. I am at a loss for what to do.

So I guess to sum it up,
-MineOS Storage has permissions that don't necessarily reflect the permissions that I set for its Storage(Via GUI).
And
-Syncthing storage is not allowing me access even though I have setup its respective group to be an aux group member for the user that I am accessing the storage with.
There are pieces of a puzzle that don't match up. What am I doing wrong here?


Also, side question: I set my permissions on all my datasets as Unix, Including the ones I use for strictly CIFS access. Is there any issue with doing that? (In the freenas youtube tutorial, they demonstrated how to set a CIFS share and used windows permissions.) What is the difference?

 

[Joshua Parker Ruehlig]

I don't know a ton about CIFS, but is Michael a user CIFS performs actions as, or just somethign used to login to CIFS. maybe write some files with that user and show the permissions with 'ls -l'
Sounds like you did the "syncthing" group add correctly, can you show 'ls -l' for the folder syncthing and mineos folder that you are trying to write to from CIFS?

As for Mineos ignoring you, yeah most programs work that way. they write files with permissions they prefer and don't inherit this from their parents directory. So even if you make the folder group / other writable, files written there might not necessarily be. Some programs like sabnzbd/transmission have settings to write files with different levels.
I don't know much about wnidows ACLs, enabling those only adds additional restrictions and would making writing more difficult.

 

[mike360x1]

Could you elaborate on what you mean by

but is Michael a user CIFS performs actions as, or just somethign used to login to CIFS.

I use the user "Michael" to login to the CIFS share so I can modify files.

As for the ls -l output for syncthing, I don't have any files within the share to output with but here is what I have with the dataset:

Code:

drwxrwx--- 3 syncthing syncthing 3 Jun 29 20:54 media

Odd, because looking at this, I should have permissions to read the share right? I also changed the primary group of the user "Michael" to syncthing and that didn't work either.

and for simple comparison sake I used the same relative directory.

Code:

drwxrwx--- 7 minecraft minecraft 7 Jun 29 19:47 media 

Note: I linked the storage of both plugins to the media folder within their respective jails.

Both of these guys are the exact same. Yet I can still write to one of them.

So, is it safe to assume that it isn't recognizing "Michael" As a member of "syncthing"?

I also did some further experimenting and used chown to see what kind of permissions Syncthing spits out.

Code:

 
drwxrwx--- 2 syncthing syncthing 2 Jun 29 22:37 With_Chown
drwxrwx--- 2 syncthing syncthing 2 Jun 29 20:54 Without_Chown

They seem identical...but I guess that's to be expected.

I'm not sure where I should go from here.

 

[Joshua Parker Ruehlig]

can you try the following in those folders

Code:

su Micahel
touch test

 

[mike360x1]

So, heres the output of the commands when ran using SSH.

Code:

[root@TankBox] /mnt/Default/JailStore/MineOS# su Michael
Michael@TankBox:/mnt/Default/JailStore/MineOS % touch test
Michael@TankBox:/mnt/Default/JailStore/MineOS % exit
exit
[root@TankBox] /mnt/Default/JailStore/MineOS# cd ..
[root@TankBox] /mnt/Default/JailStore# cd Syncthing
[root@TankBox] /mnt/Default/JailStore/Syncthing# su Michael
Michael@TankBox:/mnt/Default/JailStore/Syncthing % touch test
Michael@TankBox:/mnt/Default/JailStore/Syncthing % exit
exit

There is no text returned from the command. Does that mean that it does not have access?

 

[Joshua Parker Ruehlig]

So, heres the output of the commands when ran using SSH.

Code:

[root@TankBox] /mnt/Default/JailStore/MineOS# su Michael
Michael@TankBox:/mnt/Default/JailStore/MineOS % touch test
Michael@TankBox:/mnt/Default/JailStore/MineOS % exit
exit
[root@TankBox] /mnt/Default/JailStore/MineOS# cd ..
[root@TankBox] /mnt/Default/JailStore# cd Syncthing
[root@TankBox] /mnt/Default/JailStore/Syncthing# su Michael
Michael@TankBox:/mnt/Default/JailStore/Syncthing % touch test
Michael@TankBox:/mnt/Default/JailStore/Syncthing % exit
exit

There is no text returned from the command. Does that mean that it does not have access?

I think that means it worked. an 'ls -l' would show is test got written.

So, as I said earlier, I don't know much about CIFS. But, is there a chance the user you login to CIFS with, isn't actually the user it manipulated files with? This is why I suggested the Aux parameter earlier. I know i setup CIFS login users that didn't actually exists as user on the system, just as part of CIFS authentication layer.

 

[mike360x1]

I think that means it worked. an 'ls -l' would show is test got written.

So, as I said earlier, I don't know much about CIFS. But, is there a chance the user you login to CIFS with, isn't actually the user it manipulated files with? This is why I suggested the Aux parameter earlier. I know i setup CIFS login users that didn't actually exists as user on the system, just as part of CIFS authentication layer.

Hmm, Interesting, thank you for that insight.

I input the parameters "force user = minecraft" and "force group = minecraft" and for all other plugins with their respective names.

And something strange pops up. I setup separate shares for each plugin Storage and try to access them with CIFS.

-The Share for MineOS is unavailable because I don't have permission.
-The share for Syncthing is available now and I have unrestricted r/w access
-The share for Transmission is unavailable because I don't have permission.
However, If I access the CIFS share that I setup before, (the folder that houses these 3 Datasets.)
-MineOS is accessable with unrestricted r/w permissions
-Syncthing is accessable with only the root of that folder readable (any folders within it cannot be read - permission denied)
-Transmission is inaccessible because I don't have permissions.

What is your take on this?

 

[Joshua Parker Ruehlig]

Hmm, Interesting, thank you for that insight.

I input the parameters "force user = minecraft" and "force group = minecraft" and for all other plugins with their respective names.

And something strange pops up. I setup separate shares for each plugin Storage and try to access them with CIFS.

-The Share for MineOS is unavailable because I don't have permission.
-The share for Syncthing is available now and I have unrestricted r/w access
-The share for Transmission is unavailable because I don't have permission.
However, If I access the CIFS share that I setup before, (the folder that houses these 3 Datasets.)
-MineOS is accessable with unrestricted r/w permissions
-Syncthing is accessable with only the root of that folder readable (any folders within it cannot be read - permission denied)
-Transmission is inaccessible because I don't have permissions.

What is your take on this?

https://forums.freenas.org/index.ph...plugins-write-permissions-to-your-data.27273/

the force user, should map to a user existing in the freenas webui. which has no connection to plugin name.
It just so happens that you created a syncthing user, with the same UID as the user syncthing uses.
for transmission plugins, CIFS probably thinks you're crazy because those users don't exist in its world.
for mineos, you are mapping to UID 198. what user did you login to mineos as?

 

[mike360x1]

I logged in as user: "minecraft" I know its a terrible name and it was made without much thought.
user: minecraft UID is 198. Note: I also did my tests with user: mcserver as well which was UID 199

I also did a touch test for a few locations:

Note: JailStore is the directory I keep all my plugin storage.

Jailstore: Pass
JailStore\Syncthing: Pass
JailStore\Syncthing\Michael: Permission Denied (Strange how I could still access it via share as noted above)
Jailstore\MineOS: Pass
Jailstore\Transmission: Permission Denied.

Just for reference, this is a picture of my CIFS situation.
It is a puu.sh link.

 

[Joshua Parker Ruehlig]

well, Unix permission are working as expected from the commandline. Michael can write as expected.

Im not sure if I can help much since it seems the issue is related to CIFS. maybe the sharing section would have ideas?

 

[Joshua Parker Ruehlig]

well, Unix permission are working as expected from the commandline. Michael can write as expected.

Im not sure if I can help much since it seems the issue is related to CIFS. maybe the sharing section would have ideas?

 

[mike360x1]

Will do, thanks for your help. :D

 

[mike360x1]

So, sorry to come back to this, I just have one last question related to Plugins.

How do I set MineOS plugin to make files with only R/W permissions for Owner and Group and nothing for "Other"?

 

[Joshua Parker Ruehlig]

So, sorry to come back to this, I just have one last question related to Plugins.

How do I set MineOS plugin to make files with only R/W permissions for Owner and Group and nothing for "Other"?

There's no explicit setting for this like in sabnzbd/transmission. MineOS might respect the parent directory it is writing to, or you might be able to change this by editing /usr/local/etc/rc.d/mineos and using umask. I'd test the parent directory theory, then ask on the mineos forum, then play around with umask.