SOLVED Resilio Sync - user permissions

[bar17]

**Updates
This thread helps someone access a dataset with user "nobody" and group name of your choice with permissions 770 by multiple jails each that are a part of the same group.
**End updates

I am trying to have the jail rslsync 11.2-RELEASE-p15, configured via plugin mount and read/write to dataset tank1/ds1/resilio.

I have:

• Installed Resilio Sync with defaults using the plugin.
• Created a user and group both named resilio with GID and UID 817.
• Created a dataset tank1/ds1/resilio/ with owner bar and group resilio_backup.
• I added the auxiliary group resilio_backup to user rslsync.
• I have mounted the FreeNAS source dataset /mnt/tank1/ds1/reslio to the Jails destination /mnt/tank1/iocage/jails/rslsync/root/data.
• The dataset is default share type Unix and ACL type Unix.

When I navigate to the Resilio sync web UI and add the folder to /root/data/new_folder I get the error "don't have permissions to write to the selected folder".

I was able to fix this by changing the owner of the dataset tank1/ds1/resilio/ to rslsync.

I suppose I could live with this, however I am not sure why it is necessary. The group reslio_backup should be sufficient, should it not? The dataset tank1/ds1/resilio/ has all 3 permission boxes checked for both user and group (not for other).

A few other things. I am using share type and ACL type Unix. Does anyone have any recommendations regarding dataset Share and ACL types for Unix vs Windows? My environment is all Windows computers and the FreeNAS, however I do plan on having a few linux bhyve vm's, that will also have access to some SMB and/or resilio sync shares.

Some websites I have found with this/similar problems mention logging into the jails machine and adding a group resilio_backup to the rslsync user. I have not yet tried this because it seems a little bit hacky and I am not 100% comfortable reversing it. It also doesn't make since. If the user is part of the group that has permissions on the freeNAS, why can't it write to the folder?

So, to summarize my question(s):

Why can't the jails installation user rslsync write to the freenas dataset that is owned by the group resilio_backup when the freenas user rslsync has the auxillary group resilio_backup added?

Additionally, is there a better way I should be doing this using ACL and/or sharetype Windows for some reason?

Any help appreciated.

 

[bar17]

I figured it out.

If you have a dataset with owner nobody and group jails_shared_group and you want multiple jails to have access to the same dataset then you must give each jail access to the dataset.

Here is the post that helped me the most: https://www.ixsystems.com/community/threads/share-dataset-between-two-jails.16591/post-85452

I used slightly different command to add my Jails user to the group I wanted as seen at these links:

pw(8)

www.freebsd.org

FreeBSD add a user to group - nixCraft

FreeBSD add a user to group - Learn how to add a user to a group in FreeBSD Unix operating system using the pw command line.

www.cyberciti.biz

Finally, what I did.

As explained above, I have a dataset with a group name, lets say jails_shared_group. I had to create this group and I gave it the gid of "1004".
I also have a jail for Resilio Sync and the plugin automatically creates the username and group inside the jail called rslsync:rslsync with uid and gid 817.
I then using the freeNAS webUI created the user and group rslsync with uid/gid 817.
Then, I navigated in the webUI to "Jails: and in the options selected "Shell". Here I issued 2 commands:

Code:

# This command uses the program "pw" to add the group with gid 1004 and name jails_shared_group to the system
pw groupadd -g 1004 -n jails_shared_group

#This command adds the newly created group above to the user that was autocreated by the plugin, rslsync.
pw groupmod resilio_backup -m rslsync

It did not work until I stopped and restarted the jail. I did not reboot the server.

I used the -m command instead of -G as Dusan recommended because I felt it was safer after reading the cyberciti post discussing changes to user groups in FreeBSD linked above. However, I have a feeling they both arrive at the same endpoint.

In summary, if you want to give a dataset with permissions 770 read/write access to multiple jails/users/groups then the user accessing the dataset needs to belong to the group both on the FreeNAS system as well as in the jail.

 

[bar17]

I decided to rename my group to a more general name and created a new group on the freenas machine and in the local jails instance. I re did the above commands to make a new group and add the user to the group.

Then to remove the user from the group and delete the group I did:

Code:

pw groupmod jails_shared_group -d rslsync
pw groupdel -g 1004

I probably could have used pw groupdel -n jails_shared_group as well

 

[bar17]

In case anyone is reading this, I have devised a better system, IMO for managing various folders across the system with multiple users and services.

I have given every dataset (which in my mind are the categories I care about) a unique group name, owned by nobody.
I then have a username for every user, myself, my wife, my media PC, etc. I also have usernames for services, like rslsync.

Then, I add the groups/datasets that I want each person/service to have access to individually. So most users have multiple auxiliary groups added. This does mean that my rslsync user has to have multiple groups as well, and using the above command in the command line for the Resilio sync jail I created 8 groups and added all 8.

This may seem like more work, but it gives much more granularity. The downside is each time I add a new dataset I will have to add that datasets unique group to every user and service individually.

 

[StanTheMa]

Yeah bar sounds like a good use of groups. Im trying to see if I serve the management web GUI of rslsync via my TrueNAS reverse proxy. The Rev proxy is the config Samuel DOwling wrote up really well for Nextcloud. Early days yet..