Permission to cry?

[masonpharmd]

OK So I am no means technically illiterate, however I feel like an absolute moron trying to get something really simple going.
For experimental purposes I managed to get FreeNAS 9.10 up and running (easy since it self installs).
I also managed to create a 3 disk RAIDZ volume created, a dataset and SMB Shares created that allowed windows clients to read and write to folders on the share AND allowed a FreeBSD application to read and write to the same share. As well I even managed to use Init/shutdown scripts and cron jobs to call the application to do certain things like make sure it gets restarted if it stops for some reason. I probably lucked into getting it all running, but anyhow I felt like I understood permissions well enough that I did it.

mistake 1 - For some reason since I decided that I wanted to build in some fault tolerance and created a new RAIDZ1 volume with SSD cache disk. I can't recall if I manually deleted the datasets and shares or if they were deleted when I released the volume and created a new one.

mistake 2- Also for some reason I didn't document the permissions granted as I arrogantly thought I would just figure it out again.

So now I bow at the feet of men wiser than I, begging for some help as Clients can read and write BUT the application cannot.

Some details ---
System Information
Hostname freenas.local Edit
Build FreeNAS-9.10.2-U5 (561f0d7a1)
Platform Intel(R) Core(TM) i3-6100 CPU @ 3.70GHz
Memory 16035MB
System Time Wed Jun 28 21:30:09 EDT 2017
Uptime 9:30PM up 22:30, 0 users
Load Average 0.11, 0.17, 0.16

I have a volume created called nas1
with permissions set in the gui for
/mnt/nas1
owned by user - nobody
owned by group - nogroup
owner can R/W/E
group can R/W/E
other can R/E
Permission type set to Windows

I have a dataset called dataset1
with permissions set in the gui for
/mnt/nas1/dataset1
owned by user - nobody
owned by group - nogroup
owner can R/W/E
group can R/W/E
other can R/E
Permission type set to Windows

I have a SMB Share called dataset1
with configuration for
path /mnt/nas1/dataset1
name dataset1
boxes checked for
Apply default permissions
browsable to network clients
allow guest access

SMB settings config as
netbios name - freenas
workgroup - workgroup
guest account - nobody
allow empty password - box checked
allow execute always - box checked
obey pam restrictions - box checked

And by looking at the running processes by using the display system processes tool within FreeNAS I see that root is the user who is running the application called application1.
So what this application needs to be allowed to do is view a file called application1.conf and read the contents to know which folders to create daughter folders and write data to them.
This application was doing just that within the previous volumes without being an official sanctioned plugin within a jail.

I know I have very limited understanding of FreeBSD permissions but I would expect if it is owned by no user or group it would allow an elevated user root to be able to see/modify the same folders and files as the windows (and chromebook) clients

Thanks in advance for anyone who put thought into this enough to not flame me.

 

[Ericloewe]

This application was doing just that within the previous volumes without being an official sanctioned plugin within a jail.

But was it in a jail or was it a somewhat hacky precompiled executable?

As for the SMB part of the problem, check out the permissions videos in the Resources section. Look out for the cheesy padlock icon shamelessly taken from a publically available font and poorly colored bright yellow during a moment of boredom. (Don't blame @m0nkey for that, I added the icon)

 

[m0nkey_]

(Don't blame @m0nkey for that, I added the icon)

I always wondered who did that, because I've never been able to change it.

 

[melloa]

You are in good hands with @Ericloewe, but reading your post I got one of my eyebrow going up ... why set your share public if you can create a user to run your application and own it? I do that to bypass some idiosyncrasies on applications that require the directory to be owned by http - created an Apache user that maps it for the application to use.

 

[masonpharmd]

Thanks for the replies. Here are some of the answers to questions posed minus any snark.
The application is not within a jail. It is an file that resides within the folder at /mnt/nas1/datashare1 that can be executed from putty or with cronjobs , etc.
It listens for a predetermined input data stream from a predetermined network device and looks at the .conf file mentioned previously for a write path and writes files into child folders. I guess you could say its a precompiled hacky thing as I didn't write the code and compile it.

I didn't explicitly create the user root, I believe it is exists to run and admin FreeNAS. I assume that the developer who compiled the application may have gave it ownership already. I assume that if assigned a user on one system the ownership travels to new system if copied to said new system. I considered using chmod to reassign the application to be owned by nobody, but hesitated as I wondered if it may need root permissions for using a resource that FreeBSD deems as root is necessary to use.

As for why this share will be public. This is just one share of the NAS and will not have any sensitive data within and needs to be shared within my entire house (LAN) and the application needs to be able to write in realtime and have clients (windows,chromebook,mac, android, and possibly ios devices) access to that data simultaneously. The other shares that I will be creating will be more or less backups or individual family members secure storage and will have single users assigned to them.

 

[Ericloewe]

I always wondered who did that, because I've never been able to change it.

You can't? That's weird, I'll have to look into it. In the meantime, PM me whatever image you'd like to use.

 

[masonpharmd]

by viewing permissions with ls -l for the file.conf reveals
-rwx rwx r-x+ 1 nobody nogroup
and for the executable file
the same
-rwx rwx r-x+ 1 nobody nogroup
and for the folder they reside in
drwx rwx r-x+ 2 nobody nogroup


So from what I understand these permissions would allow user nobody and group nogroup and users and groups outside of those execute access only.
For the executable file that would be okay as I could ssh in and tell it to run or a script or automated command could make it run.

I figured I would try to just use chmod to set permissions within shell but operation is not permitted per the output when I
use chmod 776 file.conf
and I tried sudo chmod 776 file.conf also not permitted.

But the interesting thing to me is if nobody and nogroup are "universal" wouldn't root be a user within the universe?
thus the first two permissions clusters would apply.

And then as well the SMB setting of apply Default permissions would be rwx for nobody and rwx for nogroup. If root is in the universe it should still be allowed to read file.conf and write to the directory.

IS there a way that I could apply 777 permissions to the folder and contents within the share for all clients and allow a process the same 777 permissions in that share?

 

[melloa]

Usually I set my share permissions via dataset using the GUI, by selecting the dataset, clicking the Change permission icon, and set the user/group/right/recursive there as needed.

 

[masonpharmd]

Thanks Melloa. So then do you leave the set default permissions box in the share unchecked?

 

[melloa]

I don't make any changes on the samba share creation. Set default permissions box is checked by default. Captured some screens, attached below.