Fix: Plugins Permissions Bug

[corey]

Hi all,

I'm sure a few of you would recognize my voice, but probably not my name. I thought I would post up here with something I found out.

In the process of creating the FreeNAS Plugins Configuration video, I’ve discovered an unforeseen bug in FreeNAS that causes funny problems with permissions. Specifically, volumes that have a mountpoint in the jail can be affected by this glitch. I’ve notified the development team, but I don’t know when a permanent fix is coming. For the time being, I found this to be a functional workaround for Transmission and probably also miniDLNA.

The underlying problem seems to be that the daemons running Transmission and miniDLNA will pick a GID that doesn’t exist in the base system, and only exists in the jail, and the workaround is to create a group in the base system with the same GID, and then use chflags to keep the dataset’s permissions from changing again.

From a completely fresh install on bare metal, these were our steps to get transmission to work.

I hope this will help someone looking! I've also noticed posts about the umask in the Transmission JSON settings, and that may also be worth looking into. I was using 8.2P1 for this.

---

Code:

1. Change administrator password

2. Create ZFS mirror from two 3.0TB disks

3. Extend volume with mirrored array of remaining two 3.0TB disks

4. Create a ZFS dataset to put the plugins jail in (called Jail, no options)

5. Create a parallel dataset, called ‘plugins’ for plugins archive (no options)

6. Create a third parallel dataset, called ‘transmission’ for the downloads (no options)

7. Create a new user, (mine was username 'corey'), set a password, aux group ‘nobody’

8. Add CIFS share named ‘transmission’, sharing dataset ‘transmission’ (no options - make sure it’s using Unix ACLs)

9. Set guest user to 'corey'

10. Enable CIFS service

11. Configure plugins

a. Jail path to jail dataset
b. name jail
c. set unused IP on network
d. /16 netmask
e. plugins path to plugins dataset

12. Turn plugins service on

13. Change permissions on 'transmission', owner corey, group 'nobody', 755 permissions, recursive

14. Connect to the share on PCBSD and create 'Downloads' (watch is Downloads) directory under 'transmission' (This will also test to see if permissions are working correctly)

15. Create an empty file - ‘transmission.log’ - in the 'transmission' share

16. Install the transmission PBI

17. Add mount point, source 'transmission' (dataset), destination '/usr/pbi/transmission-amd64/etc/transmission/home' (this already has preset folders for data)

18. jexec into jail
a. Use command vipw to find GID of transmission

19. Make new group in base system with same GID

20. Add the new transmission group as aux group to user you want to authenticate with

21. Navigate with the tree menu to transmission settings
a. Browse for log file, enable rpc authenticaion, user ‘corey’, set password
b. File defaults are already set and match mount point

22. Turn on transmission

23. Change dataset permissions back to 755 corey:nobody (in case they were reset, as mine were)

24. Connect in the browser to jailip:9091, user and password

25. On PCBSD, drop a torrent file into the watch directory. It should change the extension to 
.added, and you should see it start in the transmission webGUI

26. In FreeNAS, verify one last time that the permissions are still correct, and then in the webshell, run the command ‘# chflags schg /path/to/directory’ to lock the permissions and prevent further changes.

 

[paleoN]

I'm sure a few of you would recognize my voice, but probably not my name.

I don't know what this means, but I doubt I would. ;)

In the process of creating the FreeNAS Plugins Configuration video, I’ve discovered an unforeseen bug in FreeNAS that causes funny problems with permissions. Specifically, volumes that have a mountpoint in the jail can be affected by this glitch. I’ve notified the development team, but I don’t know when a permanent fix is coming. For the time being, I found this to be a functional workaround for Transmission and probably also miniDLNA.

The underlying problem seems to be that the daemons running Transmission and miniDLNA will pick a GID that doesn’t exist in the base system, and only exists in the jail, and the workaround is to create a group in the base system with the same GID, and then use chflags to keep the dataset’s permissions from changing again.

This is by design. It is undesirable to have random UID/GID collisions in any system. I did suggest that the pbi install create a group, with the appropriate GID, in the base FreeNAS system. I'm hoping it's coming and they just didn't get to it yet.

A better step 18:

Code:

jexec `jls jid` id transmission

Also, there was a recent commit and Transmission shouldn't change the permissions behind your back anymore.

 

[goerz]

Thank you for your post. However, following your instructions to the letter, I can't manage to make transmission to work. After turning it on, it changes permissions to the "transmission" dataset, setting them to user root and the GID used by transmission. If I revert permissions back to the original state (user 'myaccount', group nobody, chmod 755), then transmission doesn't have writing access to the "transmission" dataset, and the web GUI returns this:

Error: Unable to save resume file: Permission denied

If I let transmission have it its way, it works correctly, but I can't modify files in the "Downloads" folder. So I applied chmod 777 to the transmission share, and it works until the transmission service restarts. Upons restarting, in fact, transmission takes possession of the Downloads folder (not the other folders in the transmission share), and I can't modify its content anymore.
I would be pleased if someone could help me on this matter.
Thanks,
goerz

 

[ben]

goerz, that's what the "chflags" step is for - once everything is working, prevent the permissions from changing with the 'chflags schg /mnt/path/to/dataset' command to make the permissions immutable.

 

[goerz]

goerz, that's what the "chflags" step is for - once everything is working, prevent the permissions from changing with the 'chflags schg /mnt/path/to/dataset' command to make the permissions immutable.

I understand that, and the chflags command works. However, even if permissions are set at 777, transmission still can't access the download directory. Sometimes the download appears to be completed normally in the web GUI, but there's nothing in the download directory. Reading the transmission log, I found this error:

Couldn't create "/usr/pbi/transmission-amd64/etc/transmission/home/Downloads/MyDownloadedFile.rar": Operation not permitted

So I can either give transmission full control of the Downloads directory, but in that case I loose write access, or I can use chmod 777 and chflags, getting write privileges, but then transmission wouldn't work.
Regards,
goerz

EDIT: the chflags step seems to create the issue: when I set the schg flag, transmission looses access to the mount. If I don't set the flag, the permissions don't survive a transmission restart. Moreover, the mount is not accessible by transmission if I set "nobody" as the group (step 22): I need to set the transmission GID as group, myself as the owner, and 775 as permissions (not 755).

 

[cimimonsti]

georz,

You'll need to edit the umask for transmission. I know I'm late, but if you're still trying to get this to work. Let me know.

/cim

 

[DragonsDream]

hi, sorry to jump in, but I'm a bit confused with this. I got my FreeNAS set up a couple of days ago and installed Transmission yesterday but can't get it working. My first issue was that I was already running transmission on a Synology DiskStation but simply changing the ports in the router solved that. But now I'm getting access denied errors whenever I try to DL stuff. What annoys me is that I shouldn't need permission to access my own drives. I have 3 desktop computers, a Synology Disk Station and now an HP Proliant MicroServer running FreeNAS and I want all of these computers to have free access to all others so I have no user accounts on anything. On FreeNas I have set up a dataset inside my Volume1 called Video (mnt/volume1/Video) which is where I want Transmission to download to (as well as store all other video files which I have already moved there). I want my watch folder to be mnt/volume1/torrents. I have both of these (Video and torrents) shared with my other computers (all Win7). I can move and copy files in and out of these folders so I know I have permission to access them, but it looks like Transmission does not. It ignores the watch folder and gives a permission denied error when attempting to download anything added manually.

My question then is how do I give Transmission access without worrying about user accounts and without having to download to some folder buried deep in the jail. Thanks for any help

 

[goerz]

georz,

You'll need to edit the umask for transmission. I know I'm late, but if you're still trying to get this to work. Let me know.

/cim

I gave up on making transmission work for a while, but now I installed 8.3 release and I'd like to give transmission a try one last time, before ditching the whole plugin side of freenas until it gets fixed. I managed to make transmission download its files in a mount point outside the jail, however I can't modify or delete downloaded files. The mount is owned by root and has 777 permissions. How exactly do I edit umask for transmission? There's no such option in the GUI.
Thanks,
goerz

 

[djlax152]

I gave up on making transmission work for a while, but now I installed 8.3 release and I'd like to give transmission a try one last time, before ditching the whole plugin side of freenas until it gets fixed. I managed to make transmission download its files in a mount point outside the jail, however I can't modify or delete downloaded files. The mount is owned by root and has 777 permissions. How exactly do I edit umask for transmission? There's no such option in the GUI.
Thanks,
goerz

Not sure about this but how come transmission can't install under the root user why does it need to create a completely different user and group? I've tried tricking it with the adding the group with the same ID thing but i couldn't get it to work.

 

[goerz]

Not sure about this but how come transmission can't install under the root user why does it need to create a completely different user and group? I've tried tricking it with the adding the group with the same ID thing but i couldn't get it to work.

I think that transmission must run under a different user because of the whole jail architecture that has been created for implementing plugins in freenas, but I'm no expert and that's just my assumption. Anyhow, I solved my problems setting the "umask" parameter to "0" in the transmission configuration file, and by giving 777 permissions to the download folder, which is, in my case, a mount point outside the jail. The umask paramater can't be changed using the freenas GUI, I had to use the shell and edit with nano the settings.json file located in the "home" folder of transmission, in the jail:

/usr/pbi/transmission-amd64/etc/transmission/home/

Now my downloads are outside the jail and I can delete or modify them.
Hope this helps.
Goerz

 

[djlax152]

Hi Georz, thanks for the reply i really appreciate it! I never had to do anything inside the shell and only know a few basic unix commands. I get stuck when i try to do this because when i open my shell I can't seem to get to my /usr/pbi/transmission-amd64/etc/transmission/home/ folder. I put an attachment up so show you where i land when i open my shell. I think i am missing a basic step or something that i don't know. Can anyone help me out forgive my ignorance.

 

[goerz]

Again, I have no formal training in unix (or computers in general), but I like to solve problems and I'll do my best to help you out. When you open the shell you are in root's home folder. You need to navigate to your jail folder. First of all take note of the name of the Volume where the jail and transmission reside. In my case, it's just called "nas". Then take note of the name of your jail directory you've created when installing transmission. In my case, I have a "jail" dataset (directory on a volume), with an installed jail inside called "jail" (I have no imagination, I know...).
Your volume is mounted in the /mnt directory, you need to navigate to it, then to your jail folder.
So when you open the shell you should type:

Code:

cd /mnt/[name_of_your_volume]

If you now type a "ls -l" command you should see all your directories. Locate the jail directory and move there. From there you'll see that there's a "usr" folder. For example, the full path to type at the first shell prompt, in my system, would be:

Code:

cd /mnt/nas/jail/jail/usr/pbi/transmission-amd64/etc/transmission/home

In this "home" folder you'll find the settings.json file to edit. Just type:

Code:

nano settings.json

and change to "umask" parameter to 0. Save your changes and exit (instructions are displayed at the bottom of the screen on the terminal window).

All the files downloaded by transmission from this moment on will be editable by any user. You should also give yourself full access to the download folder. I created a mountpoint in my system, outside the jail, that refers to the default download directory, which I didn't change in transmission preferences. I gave unlimited access to this directory to any user via the shell (command "chmod 777 /path_of_directory), to make sure that transmission can write its files there. Please not that this option may not be advisable if you have security concerns on your network.
Let me know if you manage to solve your problem, having transmission on freenas is an awesome upgrade of your nas system.
Bye,
Goerz

EDIT: please note that I don't use the shell integrated in the GUI, because I can't manage to use nano properly with it. Instead, I connect to my nas box using putty (ssh session). Also, when using nano, commands are sent using the "ctrl" key, so "^X" really is "ctrl-X".

 

[Emegra]

Hi goerz

I am having exactly the same problem, I've been struggling with this for days, transmission won't download directly from the watch folder, I have to browse to a torrent from the transmission web gui, when it does download I have no permissions to do anything with the downloaded file, I followed your instructions and changed umask to "0" in the json file,but can you tell me how to give 777 file permissions to the download folder


Many thanks


Graeme

 

[goerz]

Hi goerz

I am having exactly the same problem, I've been struggling with this for days, transmission won't download directly from the watch folder, I have to browse to a torrent from the transmission web gui, when it does download I have no permissions to do anything with the downloaded file, I followed your instructions and changed umask to "0" in the json file,but can you tell me how to give 777 file permissions to the download folder

Using the shell, issue this command:

Code:

chmod 777 <full_path_of_your_download_foder>

For example, in my case it would be: chmod 777 /mnt/nas/downloads

If there are already downloaded files in the directory which you can't delete or modify, you should also change their permissions, always using the shell and the chmod command.
Regards,
Goerz

 

[djlax152]

Again, I have no formal training in unix (or computers in general), but I like to solve problems and I'll do my best to help you out. When you open the shell you are in root's home folder. You need to navigate to your jail folder. First of all take note of the name of the Volume where the jail and transmission reside. In my case, it's just called "nas". Then take note of the name of your jail directory you've created when installing transmission. In my case, I have a "jail" dataset (directory on a volume), with an installed jail inside called "jail" (I have no imagination, I know...).
Your volume is mounted in the /mnt directory, you need to navigate to it, then to your jail folder.
So when you open the shell you should type:

Code:

cd /mnt/[name_of_your_volume]

If you now type a "ls -l" command you should see all your directories. Locate the jail directory and move there. From there you'll see that there's a "usr" folder. For example, the full path to type at the first shell prompt, in my system, would be:

Code:

cd /mnt/nas/jail/jail/usr/pbi/transmission-amd64/etc/transmission/home

In this "home" folder you'll find the settings.json file to edit. Just type:

Code:

nano settings.json

and change to "umask" parameter to 0. Save your changes and exit (instructions are displayed at the bottom of the screen on the terminal window).

All the files downloaded by transmission from this moment on will be editable by any user. You should also give yourself full access to the download folder. I created a mountpoint in my system, outside the jail, that refers to the default download directory, which I didn't change in transmission preferences. I gave unlimited access to this directory to any user via the shell (command "chmod 777 /path_of_directory), to make sure that transmission can write its files there. Please not that this option may not be advisable if you have security concerns on your network.
Let me know if you manage to solve your problem, having transmission on freenas is an awesome upgrade of your nas system.
Bye,
Goerz

EDIT: please note that I don't use the shell integrated in the GUI, because I can't manage to use nano properly with it. Instead, I connect to my nas box using putty (ssh session). Also, when using nano, commands are sent using the "ctrl" key, so "^X" really is "ctrl-X".

thank you SO MUCH for this post. I really appreciate you taking the time to do this. funny thing happened I used putty to SSH into my freenas box and followed your directions to navigate to the "Home" folder. I couldn't edit the settings.json file because my access was denied so I closed out of Putty and then logged in as "root" navigated to the home directory and I skipped modifying the settings.json and ran the command " chmod -R 777 home " without the quotes of course and then i went to my downloads directory via the CIFS share and presto! its working I can delete and modify all of my files in the download directory. I didn't need to modify the settings.json file. I hope this starys working lol. Thanks for all the help, I'm really impressed with the help on this forum. Good Stuff guys!!