Dataset Permission type, ACL, & plugin permissions

[carleycr]

A few years back I setup FreeNAS for a home media server. I created a parent dataset (Vol1) with permission type Unix. I then created a child dataset (media) with permission type windows. I believe the only reason I chose windows the media dataset was so I could access the dataset share from my windows 7 pc and my Mac. I created a CIFS share (for windows access) that pointed to this dataset. The cifs share has "Apply Default Permissions" checked. Also created an NFS share (for mac access). I have a media user and group that has full access to these shares to that the plugins can read/write to the media dataset. I also have one user that has full access the media dataset shares. Everything was working great. I then started updating FreeNAS and plugins, and eventually post processing stopped working. Yesterday I re-setup SAB, SickRage, and Transmission. I'm not receiving an error in SAB saying it can't change permissions in a specific folder on the media dataset. The permissions are set to 777 in SAB, but my understanding is that doesn't matter because of the permission type on the media dataset.

What I'd like to know, is what are the risks of changing the dataset permission type? I've read that just changing in the GUI will not work and that I'd have to do this via command line. How would I go about this? Why would I want to change permission type to Unix? Will I still have access to the share(s) from both PC and Mac? Am I missing anything to be cautious or aware of?

Sorry for the long post and thanks in advance.

 

[JohnDigital]

I always set permissions UNIX style. I never have FreeNAS apply default permissions, I like to do it manually. I remember some years ago when I did still have Windows machines that something wonky was going on with ACL permissions and to rid the system of them was tricky. I struggle to remember exactly because my brain is clogged with malted hops and bong resin, but I can say this; my work laptop still runs a Windows partition and even though all my permissions are UNIX style, set manually at a dataset level, I have no issues whatever accessing these shares. Now all that said, the risks? I think as long as you have strong passwords and such, decent firewalling, there shouldnt be any risks in one or the other. What you really need to watch out is that none of the files that need to be owned by root get changed, for instance jail/plugin files

Avoiding these permission/plugin issues has been easy after you change the user that these plugins run as via the rc.conf file or via the corresponding rc.d. Basically you want to have all the similar plugins installed manually in the same jail (not totally necessary it just makes the mounting of storages simpler basically, mount storage to one jail instead of 6), then running the plugins as the user who owns the mounted dataset(s) in question. For instance, my main storages are owned by my main user JBD, so I have configured my softwares to run as JBD and not the defaults "_sabnzbd" or such.. Here is an example for you to rid yourself of these problems once and for all. My rc.conf from my "sab" jail. Location /etc/rc.conf

Code:

portmap_enable="NO"
sshd_enable="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
hostname="sab"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
sabnzbd_enable="YES"
sabnzbd_user="JBD"
sabnzbd_group="media"
couchpotato_enable="YES"
couchpotato_user="JBD"
couchpotato_group="media"
sonarr_enable="YES"
sonarr_user="JBD"
sonarr_group="media"
headphones_enable="YES"
headphones_user="JBD"
headphones_group="media"

Now remember your user/group combo WILL be different, LOL.
The user might exist in FreeNAS, but most likely not in the JAIL. adduser from the JAIL via ssh can remedy this. Try to give the corresponding JAIL user the same UID/GID as the FreeNAS user who owns this data.
The program directories need to be owned by this user as well. Unless something is nutty in your config, these directories are usually all in /usr/local/*sabnzbd*. Sonarr likes to complain about JBD not owning the shared directory when you try to update from the web GUI, but I always use portmaster to do my updates anyhow. My /usr/local/* perms.

Code:

drwxr-xr-x   8 JBD  media   22 Dec 22 11:29 CouchPotatoServer/
drwxr-xr-x   3 root   wheel  630 Jan 31 23:05 bin/
drwxr-xr-x  15 root   wheel   29 Jan  2 19:45 etc/
drwxr-xr-x  10 JBD  media   28 Feb 10 00:13 headphones/
drwxr-xr-x  85 root   wheel  183 Jan 31 23:04 include/
drwxr-xr-x   2 root   wheel   50 Jan 31 23:04 info/
drwxr-xr-x  36 root   wheel  902 Jan 31 23:04 lib/
drwxr-xr-x   3 root   wheel    3 Jan  2 18:38 lib32/
drwxr-xr-x   5 root   wheel    5 Jan  2 18:38 libdata/
drwxr-xr-x   6 root   wheel    8 Jan 31 23:04 libexec/
drwxr-xr-x   7 root   wheel    7 Jan  2 19:31 llvm37/
drwxr-xr-x  27 root   wheel   28 Feb  4 04:15 man/
drwxr-xr-x   2 root   wheel    4 Jan 31 23:04 openssl/
drwxr-xr-x   5 JBD  media    7 Apr 12  2016 sabnzbd/
drwxr-xr-x   2 root   wheel   50 Jan  2 18:33 sbin/
drwxr-xr-x  52 root   wheel   52 Jan  2 19:46 share/
drwxr-xr-x   7 JBD  media   15 Feb  9 23:54 sonarr/
drwxr-xr-x   4 root   wheel    4 Nov 28 20:10 var/
drwxr-xr-x   4 root   wheel    4 Jan  2 18:44 x86_64-portbld-freebsd10.3/

Now when a plugin wants to do things to the data it can without fail because IT thinks it owns this data. Does this make sense? No more fiddling around getting plugins the proper perms and such 777's, etc. My chosen softwares DO NOT match yours, but the process is the same for all these types of softwares. The ever master Joshua Parker has a post highlighting this on this very forum somewhere, and HERE is another great reference I refer to my buddies to do this. It all works basically the same, your mileage will vary, users and whatnot.

This post sort of got away from me, but I hope this helps you. Good luck.

 

[carleycr]

I always set permissions UNIX style. I never have FreeNAS apply default permissions, I like to do it manually.

How do I set the dataset permission manually? I think this is my first step before I attempt at updating the data ownership within the dataset. Otherwise I'd have to create a new dataset with Unix permission and copy TB of data to it from the old dataset. Would this method be a more "safe" way to do it without potential command line screw ups?

What you really need to watch out is that none of the files that need to be owned by root get changed, for instance jail/plugin files

How do I avoid this? I'm nervous to do this manual setup as I don't want to really screw up my data and not be able to access it. I can take a snapshot, but I don't think that will provide a complete backup of data.

Basically you want to have all the similar plugins installed manually in the same jail (not totally necessary it just makes the mounting of storages simpler basically, mount storage to one jail instead of 6), then running the plugins as the user who owns the mounted dataset(s) in question.

I do currently have all plugins in the same jail, and have always had them in the same jail.

Avoiding these permission/plugin issues has been easy after you change the user that these plugins run as via the rc.conf file or via the corresponding rc.d.

Did you manually add the user/group lines in the rc.conf file? Is that what sysrc lines in your buddies blog are for? From what I can tell, I only have sabnzbd set as media user/group when I view the rc.conf file in my jail.

The user might exist in FreeNAS, but most likely not in the JAIL.

Before I add a user, is there a way I can list users in the jail? I would hate to add a user if it already exists.

The program directories need to be owned by this user as well. Unless something is nutty in your config, these directories are usually all in /usr/local/*sabnzbd*.

Are you referring to this path in the jail or FreeNAS root directory? How did you pull the permissions of the users/groups as you've done below

Code:

drwxr-xr-x   8 JBD  media   22 Dec 22 11:29 CouchPotatoServer/
drwxr-xr-x   3 root   wheel  630 Jan 31 23:05 bin/
drwxr-xr-x  15 root   wheel   29 Jan  2 19:45 etc/
drwxr-xr-x  10 JBD  media   28 Feb 10 00:13 headphones/
drwxr-xr-x  85 root   wheel  183 Jan 31 23:04 include/
drwxr-xr-x   2 root   wheel   50 Jan 31 23:04 info/
drwxr-xr-x  36 root   wheel  902 Jan 31 23:04 lib/
drwxr-xr-x   3 root   wheel    3 Jan  2 18:38 lib32/
drwxr-xr-x   5 root   wheel    5 Jan  2 18:38 libdata/
drwxr-xr-x   6 root   wheel    8 Jan 31 23:04 libexec/
drwxr-xr-x   7 root   wheel    7 Jan  2 19:31 llvm37/
drwxr-xr-x  27 root   wheel   28 Feb  4 04:15 man/
drwxr-xr-x   2 root   wheel    4 Jan 31 23:04 openssl/
drwxr-xr-x   5 JBD  media    7 Apr 12  2016 sabnzbd/
drwxr-xr-x   2 root   wheel   50 Jan  2 18:33 sbin/
drwxr-xr-x  52 root   wheel   52 Jan  2 19:46 share/
drwxr-xr-x   7 JBD  media   15 Feb  9 23:54 sonarr/
drwxr-xr-x   4 root   wheel    4 Nov 28 20:10 var/
drwxr-xr-x   4 root   wheel    4 Jan  2 18:44 x86_64-portbld-freebsd10.3/

 

[JohnDigital]

How do I set the dataset permission manually? I think this is my first step before I attempt at updating the data ownership within the dataset. Otherwise I'd have to create a new dataset with Unix permission and copy TB of data to it from the old dataset. Would this method be a more "safe" way to do it without potential command line screw ups?

First off this can be done via the GUI. In the storage tab where the pools are listed if you click the key at the bottom after the dataset is highlighted the owner and permissions can be switched to whoever. For me this user is JBD. I say to be careful here, because if your jails dataset resides in the same pool and you go willy nilly and switch the entire pool to this user recursively, it will also switch the jails files to be owned by this user-or at least the bulk of them, then you have opened up a can of worms. Jails wont start and you are basically screwed. So avoid this by going to each dataset that holds media, or other files--documents, photos, whatever they may be and change the permissions on ONLY THOSE DATASETS--one at a time. I think we are both dealing with media of sorts, so basically can switch only the media datasets to this "JBD" user. Alternatively one user can own the root of the dataset, then another user can own files that reside in this dataset. This would be done via SSH and using the chown command. A simple example "chown -R JBD:media /mnt/TANK/movies" I have and do do it this way from time to time but for the most part you can just use the GUI. It is the recommended and safest way. Chowning files comes in handy when you need only modify one folder or file.

Did you manually add the user/group lines in the rc.conf file? Is that what sysrc lines in your buddies blog are for? From what I can tell, I only have sabnzbd set as media user/group when I view the rc.conf file in my jail.

Yes I can add them manually using nano, but sysrc does the same thing. If it makes sense for you to use media as a user on all plugins that are dealing with media, that is totally fine. In my case my user is JBD but for you it can be anything.

Before I add a user, is there a way I can list users in the jail? I would hate to add a user if it already exists.

The system would certainly tell you if you try to add a user that already exists. The easy way to see what users you have already in any *nix system is cat /etc/passwd

Are you referring to this path in the jail or FreeNAS root directory? How did you pull the permissions of the users/groups as you've done below

This path is within the jail. Use jexec to get into the jail in question example: Find jail number by doing jls then using YOUR jail number (or simply the jail name) jexec 1 csh So once in your SAB jail do cd /usr/local Then do simply

Code:

ll

and you will get a printout like I have shown. Then as I stated before this is where chown comes in handy because we only want to do one or a few directories and not everything. The directories that correspond to your plugins you would do (EXAMPLE-you will vary) chown -R media:media sabnzbd/ your chosen user/group will possibly vary. Repeat for each plugin that you want to run as this user. In the end running ll again will produce a similar printout to the one I have shown where your plugin directories will be owned by the user that the plugin is running as. Now when you start all the plugins, they will start and run as this user. Example: service sabnzbd start Repeat this command for each program. If there are any hiccups or things fail to start this is where you will find out about it. The programs might complain about who knows what, but if done as I have highlighted everything will start no problems. You can check this is the case by doing a top to verify this.

Make sure the datasets in questions are added as storage to this jail in the FreeNAS GUI. I mount things to "/media or /mnt" personally. Now whenever these programs want to access data either they read, write, move, execute, there are no more problems because the programs own all the data in question. One last thing. When you do mount these storages to the jail tick the box that asks if directories should be created. For example. I mount my movies to sabs media jail like this. Choose your main movie folder to mount to /media. In the GUI storage section when you mount choose /mnt/TANK/movies as source, and /media as destination, with the create directory option ticked, the folder will be mounted automatically to /media/movies. Repeat for each dataset that you need mounted to the jail. Then they all file nicely into /media.

I hope this helps you. Sorry I have been out of town on business the last few days. Let me know if I can help you any further.

 

[carleycr]

Ok, so I'm pretty sure I have, and have had, everything setup according to what you've said. I should have mentioned that when I originally set all this up, I did follow Joshua Ruehlig's guide to setup plugins. It sounds like you may have done the same or something similar. I've taken some screenshots to show how it's currently setup.Note: I have the media user Not sure what i'm missing. I even have the folders set to the media user for the dataset the jail is connected to.

Data pool/datasets structure

Jail mounted dataset

User ownership of folders within the dataset. All the media releated sub folders such as downloads, incomplete, etc. have the media user as the owner.

Same from the jail

 

[JohnDigital]

The plus signs means they are all ACL permissions. I dont have any of those. For a Windows user im sure that is intended, although im unsure of the benefits or drawbacks of having it that way as im 99.1% Unix based, but my windows partition has no ill effect from having it this way, I have just used my FreeNAS creds when mounting my volumes in Windows 7. Basically ACL means that windows controls the permissions I believe, and frankly I wouldnt want Windows meddling in my BSD server. In fact id recommend you take those Windows boxes down to the harbor and toss them in, its a tough pill to swallow but IMHO Windows is for beginners, gamers and grandmas. I remember ACLs causing lots of issues for me and it was somewhat of a pain to get rid of them. I have all UNIX permissions. If things are not working and you have done everything as I and Joshua have said, then ACLs are almost certainly the issue.

If you want FreeNAS to do all the serving, downloading and such, the software is running on unix, but using windows permissions, consider seriously on switching to UNIX based permissions. The software is all unix but trying to use Windows permissions it doesnt understand. Im no pro but mine works and yours doesnt, main difference: Windows ACL Perms.

I hope this helps you. Good luck!

remember some years ago when I did still have Windows machines that something wonky was going on with ACL permissions and to rid the system of them was tricky. I struggle to remember exactly because my brain is clogged with malted hops and bong resin, but I can say this; my work laptop still runs a Windows partition and even though all my permissions are UNIX style, set manually at a dataset level, I have no issues whatever accessing these shares.

 

[carleycr]

@John Digital, thanks for your help thus far. I have a better understanding of what's going on. My next question is, how do I change everything over to Unix permissions? I believe i read somewhere on this forum that if I change my media dataset to Unix, it will only affect files written from then on, but will not change the existing ones. I think the only/easiest way to do this, correct me if I'm wrong, would be to create an entirely new dataset with same owning user/group and set as unix permissions. Then, copy all data from my existing media dataset to the newly created dataset. If this this is a recommended way, what would be the best approach from a time and server resource perspective? Maybe create a job? As you can see from my first screen shot, my dataset is approximately 4.3TB.

Thanks again for the help.

 

[JohnDigital]

You can fix it, the ACL i mean. Its somewhat of a pain. Do some searching around on the subject. 4.3Tb isnt impossibly large. Seems some one had a script that could batch remove ACLs if memory serves. Look around and you will find a way. Its been several years since Ive done it. Maybe it has gotten easier.