Error applying permissions after movie is imported in Radarr

[Mannekino]

I've been working on setting up Radarr and Jackett with Transmission yesterday and I got mostly everything working. I've run into some issues with changing the owner of the folder and files after a Torrent is completed and imported it into my "media" dataset.

To avoid being unnecessarily verbose I think I have everything pretty well setup with regard to my permissions but you need more information I can provide it. In the Radarr jail I mounted the dataset that contains my Transmission "completed downloads" folder and the dataset that contains my movies.

My movies folder is in a dataset that is also being shared through Samba and has a Windows ACL. I believe this prevents the command chmod to run. For example when I manually run this command on a file or folder I get permission denied, both as root and as the user that is actually the owner of the file or folder. For example:

Code:

root@freenas[/mnt/data/media/Entertainment/Movies]# chmod 770 <movie>
chmod: <movie>: Operation not permitted

When Radarr imports a completed movie from my Torrent client it does so with the radarr user. Here is an example of an import with the permissions gone wrong.

Code:

Unable to apply permissions to: /media/Movies/<movie>.mkv: Error setting file permissions: EPERM
NzbDrone.Mono.Disk.LinuxPermissionsException: Error setting file permissions: EPERM
  at NzbDrone.Mono.Disk.DiskProvider.SetPermissions (System.String path, System.String mask) [0x0003d] in <47becc8372a140968eab920ae2856bf6>:0
  at NzbDrone.Mono.Disk.DiskProvider.SetPermissions (System.String path, System.String mask, System.String user, System.String group) [0x00000] in <47becc8372a140968eab920ae2856bf6>:0
  at NzbDrone.Core.MediaFiles.MediaFileAttributeService.SetMonoPermissions (System.String path, System.String permissions) [0x0002d] in <b938542dd9a14cfc824f9cd70d8df65b>:0

Here is how the permissions look of the folder that was just imported.

Code:

root@freenas[/mnt/data/media/Entertainment/Movies]# getfacl <movie>
# file: <movie>
# owner: 352
# group: <group_1>
group:entertainment:r-x---a-R-c---:fd----I:allow
            group@:rwxpDdaARWcCo-:fd----I:allow
            owner@:rwxpDdaARWcCo-:fd----I:allow

The user 352 is the Radarr user. Now normally all the files in the movies folder are owned by user_1 and group_1 and I would like Radarr to change the user after it's done importing. This doesn't work as shown above. I believe this is due to Radarr trying to execute a chmod. Now I don't actually need Radarr to do this but only change the owner of the folder and files it copied but I can't leave the fields for the permission octals blank.

Does anyone have a solution for this, without resorting to some sort of cron job to change the owner of the files and folders? I could run Radarr as user_1 but I rather not do that. I only want to change the owner and the command chown does work properly.

 

[anodos]

Yeah, your intuition is correct. It's related to "windows permissions type". What I would do is as follows:
1) If your windows user is a member of group "windows_users", run the following command find /mnt/data/media/Entertainment/Movies -type d | setfacl -m g:"windows_users":full_set:fd:allow This will set an explicit inheriting ACE that grants "windows_users" full control on all directories inside the aforementioned path. This is important to ensure that the chmod from the jailed process does not impact access for your SMB clients.
2) If "Movies" is a ZFS dataset zfs set aclmode=passthrough media/Entertainment/Movies. Once the aclmode is "passthrough" chmod will work as expected.
The "windows_users" part is just an example. You don't need to actually create that group.

 

[Mannekino]

Ah, thank you so much. This is very interesting. I will try this out when I get home from work today.

The dataset itself is actually only /mnt/data/media. Inside that dataset I got the folders such as ./Entertainment/Movies and ./Entertainment/Series. So I assume the second command will only work on a dataset not a folder.

Right now the folders and files of the dataset are owned by my personal user and primary group which I called user_1 and group_1 in my opening post. I already added group_1 inside the Radarr jail and I made the radarr user a member of this group. So I could use this group for the setfacl command and then set the passthrough on the dataset.

That way the radarr user should be able to chmod inside the jail when it applies the permissions as part of te post-import script..

I will let you know if it works!

 

[Mannekino]

@anodos I tried what you suggested as follows, <group_1> is the group I mentioned earlier.

Code:

find /mnt/data/media -type d | setfacl -m g:"<group_1>":full_set:fd:allow
zfs set aclmode=passthrough data/media

I then created a Test folder through Windows explorer and this is the result of that. The other Movie folders are the same. The group entertainment is a group that should have read only rights.

Code:

root@freenas[/mnt/data/media/Entertainment/Movies]# getfacl Test
# file: Test
# owner: <user_1>
# group: <group_1>
        group:<group_1>:rwxpDdaARWcCos:fd----I:allow
group:entertainment:r-x---a-R-c---:fd----I:allow
            group@:rwxpDdaARWcCo-:fd----I:allow
            owner@:rwxpDdaARWcCo-:fd----I:allow

I then tested if the chmod command works and it did but the output of getfacl changed also. I did a chmod with the same octals already set.

Code:

root@freenas[/mnt/data/media/Entertainment/Movies]# chmod 0770 Test
root@freenas[/mnt/data/media/Entertainment/Movies]# getfacl Test
# file: Test
# owner: <user_1>
# group: <group_1>
        group:<group_1>:rwxpDdaARWcCos:fd----I:allow
group:entertainment:r-x---a-R-c---:fd----I:allow
            group@:rwxpDdaARWcCo-:fdi---I:allow
            owner@:rwxpDdaARWcCo-:fdi---I:allow
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow

It adds a bunch of stuff and when I pull up the properties of this folder in Windows explorer I get an error/notification saying something like:

The permissions on Test aren't in the right order... some listings might not have an effect

When I view the advanced permissions I see this (I get a similar error/notification as mentioned above when I click on this). I redacted the names but it's <user_1> and <group_1>

Volledig beheer = Full control
Lezen en uitvoeren = Read and execute
Bovenliggend object = Parent object
Deze map = This map
Onderliggende mappen = Underlying folders
Alleen deze map = Only this folder
Iedereen = Everyone

What causes this behaviour when doing the chmod and would the same thing happen when Radarr executes a chmod? This doesn't seem quite right.

Also is it possible to revert back to the old ACL I had prior to executing the commands if I desire to do so?

 

[anodos]

That's somewhat expected behavior from chmod when there's an extended ACL granting permissions to owner@, group@. Let's try the following:
assuming you're going to set permissions for "Movies"

Code:

setfacl -b /mnt/data/media/Entertainment/Movies #strips the extended ACL entries
setfacl -m group:entertainment:rxaRc:fd:allow,group:<redacted_group>:full_set:fd:allow /mnt/data/media/Entertainment/Movies

Then repeat your test.

 

[Mannekino]

I'm going to continue tomorrow, I tried the above but its not working as expected.

Also I tried testing the import of another movie through Radarr and it still throws an error with setting permissions. The error is different though, it looks like it's stopping at the chown now because afterwards I do see that the chmod has been executed because I see a similar change to the movie directory when I did it manually.

Code:

Unable to apply permissions to: /media/Movies/<movie>: Error setting file owner and/or group: EPERM
NzbDrone.Mono.Disk.LinuxPermissionsException: Error setting file owner and/or group: EPERM
  at NzbDrone.Mono.Disk.DiskProvider.SetOwner (System.String path, System.String user, System.String group) [0x00056] in <47becc8372a140968eab920ae2856bf6>:0 
  at NzbDrone.Mono.Disk.DiskProvider.SetPermissions (System.String path, System.String mask, System.String user, System.String group) [0x00008] in <47becc8372a140968eab920ae2856bf6>:0 
  at NzbDrone.Core.MediaFiles.MediaFileAttributeService.SetMonoPermissions (System.String path, System.String permissions) [0x0002d] in <b938542dd9a14cfc824f9cd70d8df65b>:0

Right now chmod and chown are working in the console. It looks like Radarr is doing the chmod but the chown is failing. I tried enabling debug and trace error logging of Radarr but it doesn't give me any more information so I can't actually see what kind of command Radarr is executing. I assume it's actually both those commands since is says so in the GUI

I wish it was possible to only execute chown -R user_1 because that is all I need it to do.

 

[anodos]

I'm going to continue tomorrow, I tried the above but its not working as expected.

Also I tried testing the import of another movie through Radarr and it still throws an error with setting permissions. The error is different though, it looks like it's stopping at the chown now because afterwards I do see that the chmod has been executed because I see a similar change to the movie directory when I did it manually.

Code:

Unable to apply permissions to: /media/Movies/<movie>: Error setting file owner and/or group: EPERM
NzbDrone.Mono.Disk.LinuxPermissionsException: Error setting file owner and/or group: EPERM
  at NzbDrone.Mono.Disk.DiskProvider.SetOwner (System.String path, System.String user, System.String group) [0x00056] in <47becc8372a140968eab920ae2856bf6>:0
  at NzbDrone.Mono.Disk.DiskProvider.SetPermissions (System.String path, System.String mask, System.String user, System.String group) [0x00008] in <47becc8372a140968eab920ae2856bf6>:0
  at NzbDrone.Core.MediaFiles.MediaFileAttributeService.SetMonoPermissions (System.String path, System.String permissions) [0x0002d] in <b938542dd9a14cfc824f9cd70d8df65b>:0

Right now chmod and chown are working in the console. It looks like Radarr is doing the chmod but the chown is failing. I tried enabling debug and trace error logging of Radarr but it doesn't give me any more information so I can't actually see what kind of command Radarr is executing. I assume it's actually both those commands since is says so in the GUI

View attachment 28591

I wish it was possible to only execute chown -R user_1 because that is all I need it to do.

If you know the numeric id of that user in the jail, then you should be able to use it to chown your data. e.g. chown -R 10001. I'm not familiar enough with plugins to give concrete advice. Once you do that, you can set "inherit owner = yes" as an auxiliary parameter for your SMB share. This will cause the owner of new files created in the SMB share to be inherited from their parent directory (only affects samba operations).

 

[Mannekino]

@anodos I tried using the numeric ID but that didn't work either. I did some thinking last night and this morning and decided to approach the problem completely different based on some premises I hope I have correct.

1. My /mnt/data/media dataset has a Windows ACL and is being shared through Samba
2. With a setup like this it's best practise to no longer use chmod or chown even though chown does work well
3. Best practice is to use setfacl to change the ACL (adding, modifying or removing ACEs) or do this through Windows by changing the permissions by using Explorer.
4. I'm going to create a user media with a group media and a second group media-read
5. I will give the user media and group media full privileges and media-read should have read access only.
6. I will also add the user and group to the jails of Tranmission, Radarr and Sonarr.
7. I will change the user running these services to media so when they create, move or copy files and folders the owner will be media

My question is, what should the root permissions of this dataset look like and how should it propagate to all the child folders and files? This is what I I'm planning to set for /mnt/data/media. And should I do any other (or repeat) zfs commands?

Code:

# owner: media
# group: media
group:media-read:r-x---a-R-c---:fd----I:allow
            group@:rwxpDdaARWcCo-:fd----I:allow
            owner@:rwxpDdaARWcCo-:fd----I:allow

Thanks for all your help so far.

 

[anodos]

@anodos I tried using the numeric ID but that didn't work either. I did some thinking last night and this morning and decided to approach the problem completely different based on some premises I hope I have correct.

1. My /mnt/data/media dataset has a Windows ACL and is being shared through Samba
2. With a setup like this it's best practise to no longer use chmod or chown even though chown does work well
3. Best practice is to use setfacl to change the ACL (adding, modifying or removing ACEs) or do this through Windows by changing the permissions by using Explorer.
4. I'm going to create a user media with a group media and a second group media-read
5. I will give the user media and group media full privileges and media-read should have read access only.
6. I will also add the user and group to the jails of Tranmission, Radarr and Sonarr.
7. I will change the user running these services to media so when they create, move or copy files and folders the owner will be media

My question is, what should the root permissions of this dataset look like and how should it propagate to all the child folders and files? This is what I I'm planning to set for /mnt/data/media. And should I do any other (or repeat) zfs commands?

Code:

# owner: media
# group: media
group:media-read:r-x---a-R-c---:fd----I:allow
            group@:rwxpDdaARWcCo-:fd----I:allow
            owner@:rwxpDdaARWcCo-:fd----I:allow

Thanks for all your help so far.

To set the ACL mode back to where it was before, run the command zfs set aclmode=restricted

 

[Mannekino]

I was doing some searching and found this bug report which describes the same behavior I had earlier

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216886

Seems the solution you provided should have worked. I'm going to try this again today, curious if I can get chmod to work properly without additional ACEs being added (hope I'm using that term correctly here my knowledge is limited).

 

[anodos]

Your original ACE looks like this:

Code:

# file: Test
# owner: <user_1>
# group: <group_1>
        group:<group_1>:rwxpDdaARWcCos:fd----I:allow
group:entertainment:r-x---a-R-c---:fd----I:allow
            group@:rwxpDdaARWcCo-:fd----I:allow
            owner@:rwxpDdaARWcCo-:fd----I:allow

In this case, owner@ and group@ have all permissions on the current directory, and a new directory will inherit the same.

When you chmod with passthrough enabled you get this:

Code:

# file: Test
# owner: <user_1>
# group: <group_1>
        group:<group_1>:rwxpDdaARWcCos:fd----I:allow
group:entertainment:r-x---a-R-c---:fd----I:allow
            group@:rwxpDdaARWcCo-:fdi---I:allow
            owner@:rwxpDdaARWcCo-:fdi---I:allow
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow

The "fdi" flags on the "all permissions" entries indicate that the ACE does _not_ apply to the current directory, but will be inherited on subdirectories (inherit only). This means that the posix mode for "test" is effectively (770), but a new directory created under Test will end up with the ACL:

Code:

        group:<group_1>:rwxpDdaARWcCos:fd----I:allow
group:entertainment:r-x---a-R-c---:fd----I:allow
            group@:rwxpDdaARWcCo-:fd----I:allow
            owner@:rwxpDdaARWcCo-:fd----I:allow

This means that applications won't "break" the underlying extended ACL via chmod()

 

[Mannekino]

OK, I don't understand it fully yet but I think I got the gist of it. I'm going to read that guide real thoroughly this weekend and experiment a bit on my FreeNAS test server.

For the time being I changed the user of the services to my own user, meaning Transmission, Radarr and Sonarr are now running under <user_1> and I simplified the permissions structure. Everything is working well now but I would like to understand this better anyway for future projects.