Synchronized Permissions?

tedrock · Oct 9, 2013

I have sabnzbd, sickbeard, couchpotato, etc all setup using the new 9.1 jail system and they all work wonderful except for one issue... For them to access my downloads folder or my media folders I have to give Other full access and I really don't want to do this.

Is there an account or group these plugins all have in common I can give access to? I'm willing to manually go into each jail and add a group to whatever user each one uses if I have to (If I gotta do this I wouldn't mind some help to easily figure out what user they are using).

How do you guys use your jailed plugins without having to give Other full read/write access to everything?

dlavigne · Oct 10, 2013

Unfortunately each service creates its own user/group. I imagine one could create a custom group, add those users to that group, and make that group the owner of the media folders. This should eliminate the need to open up others.

ThomasDK81 · Oct 10, 2013

dlavigne said:
Unfortunately each service creates its own user/group. I imagine one could create a custom group, add those users to that group, and make that group the owner of the media folders. This should eliminate the need to open up others.

Thats how I did it. Works nicely :)

tedrock · Oct 10, 2013

ThomasDK81 said:
Thats how I did it. Works nicely :)

Could you elaborate on what you did? What users did you create? Did their user id matter?

I made the users:
_sabnzbd (For sabnzbd)
media (For couchpotato)
_sickbeard (For sickbeard)
And put them all in the same group.
I made that the group owner of my media dataset (changed the permissions recursively).
Removed all permission for Other
SickBeard now fails to create any folders in the dataset now, giving Other full permission resolves this.

ThomasDK81 · Oct 10, 2013

The plugins created their users, I didn't change any of them.
I did create the same users in freenas, with the same uid, for my own visual satisfaction.
I made a group in each jail called media and added the user, the plugin created to the media group.
I created the group in FreeNAS, for the same reason as the users. Its easier to remember which group it is, when its media instead of the id (40001).

The files the plugins are creating is owned by their user and the media group.
If this isn't the case for you, maybe it would help to chmod the dir with g+s. This forces new files and folder to be the same group as the parent(the one you chmod g+s).

Try and check the owner/group of the sickbeard files.
You can also check if the sickbeard user is a member of the right group. #id _sickbeard

tedrock · Oct 11, 2013

I created a group in FreeNAS called Application.
I created a user called _sickbeard in FreeNAS and gave it the same uid as the user in the jail (1003) and set the primary group as Application.
I created an Application group in the sickbeard jail.
I added the user _sickbeard to the group in the jail (id _sickbeard confirms this).
I set the group owner of the dataset to Application recursively.
Sickbeard still does not have read/write/execute access unless I give it to Other access.

I used pw to create the group and modify the users.
pw groupadd Application
pw groupmod Application -M _sickbeard

ThomasDK81 · Oct 11, 2013

tedrock said:
Sickbeard still does not have read/write/execute access unless I give it to Other access.

and the id's of the group in FreeNAS and in the jail have the same id?

tedrock · Oct 11, 2013

ThomasDK81 said:
and the id's of the group in FreeNAS and in the jail have the same id?

Yep they are all 1002, in all jails and in freenas. If that's what you mean...

tedrock · Oct 11, 2013

I tested and changed the owner of the Media dataset to "_sickbeard"* and gave Group and Other no access and that works SickBeard has full access, so the user seems to be working. It's something wrong with the group setup.

*When I set the Owner to "_sickbeard" and save, it changes the owner to "media" (couchpotato user) but I assume this happens because they both have the same uid.

I did id on _sickbeard outside and inside the jail and I don't see any problems.
[root@freenas ~]# id _sickbeard
uid=1003(_sickbeard) gid=1002(Application) groups=1002(Application),1004(media))

root@sickbeard_1:/ # id _sickbeard
uid=1003(_sickbeard) gid=1003(_sickbeard) groups=1003(_sickbeard),1002(Application),1004(media)

The gid is different but I would believe as long as _sickbeard is in the Application group it should be ok. As a test I even changed the gid for the jailed user and SickBeard still cannot write to my media Dataset unless I give Other full access.

tedrock · Oct 11, 2013

just doing a bump to see if anyone else has any input

Antioch18 · Oct 12, 2013

You need to make sure that the user is configured exactly the same in both the FreeNas environment and the Jail environment.

Here's how I'm set up, for example:

FreeNas Environment:

user: _sabnzbd uid: 350
group: media gid: 1001

Jail:

user: _sabnzbd uid: 350
group: media, _sabnzbd gid: 1001, 350

Folder on FreeNas:

drwxrwxr-x 129 myaccnt media 129 Oct 12 18:32 media/

Depending on how you've used the pw groupmod/usermod commands you could have inadvertently overwritten the membership for your media group.

Try "cat /etc/group" from the shell in both environments and make sure that the users in question appear in the necessary groups.

Important Announcement for the TrueNAS Community.

Synchronized Permissions?

tedrock

Dabbler

dlavigne

Guest

ThomasDK81

Dabbler

tedrock

Dabbler

ThomasDK81

Dabbler

tedrock

Dabbler

ThomasDK81

Dabbler

tedrock

Dabbler

tedrock

Dabbler

tedrock

Dabbler

Antioch18

Explorer

Similar threads