[How-To] Giving Plugins Write Permissions to Your Data

Status
Not open for further replies.

BBarker

Contributor
Joined
Aug 7, 2015
Messages
120
You are correlating things without understanding everything about the underlying system, lol. restarting the jail never breaks things, it usually just seems to cause things to break because service that were running will no longer start because of a previous error. Also changing the permission setting in sabnzbd wont break anything, except maybe the ability to read those files, for example from CIFS.

In your latest attempt I believe the plugin won't turn on because it doesn't have write permissions to it's download folders.
sabnzbd needs write permissions to those folders, which you can accomplish by properly implementing a solution from this threads opening post.
In your case, whatever method you are using to access the downloaded files also needs write permissions. So you should also implement one of the solutions from this thread (without undoing what you did for sabnzbd), though doing that for a sharing protocol is going to be different steps then what's documented here. I suggest you let the download directory be owned by UID 816, and have sabnzbd write files with 777 permissions.

I feel like Matt Damon in the Martian when he was trying to make H2O using Hydrazine and he's all excited about his idea and when he fires it up for the first time......BOOM because he missed a detail in the setup. Had a few booms but am making progress for sure. As of now, the plugin is on, running and behaving normally. I did use solution one and set up the download directory to use 816 for ownership and that seems to help with the access issues. I think it wouldn't turn on because of ownership. Prior to this, /var/db/sabnzbd had root:wheel for ownership and now shows media:media and seems to be behaving.

I think I am/was having CIFS issues in trying to read, move the files once downloaded so I will work on that since I know you don't like talking about CIFS....lol

Anyway, this is fun for me and I appreciate everyone's participation in helping this FreeNAS greenpea,
 
Last edited:

Joshua Parker Ruehlig

Hall of Famer
Joined
Dec 5, 2011
Messages
5,949
lol, glad you're learning stuff. at least you got it somewhat working. for CIFS I think I usually use something like 'force user = media'
 

Jr922

Explorer
Joined
Apr 22, 2016
Messages
58
In order for your plugin to be able to write to your data datasets/folders it must have..
  1. access to your data dataset/folders
  2. permissions to write to your data folders.

1) MAKING DATA ACCESSIBLE TO YOUR PLUGIN'S JAIL

  • It is preferred that your data reside on a dataset(s) outside of your jail that you regularly snapshot and backup.
  • FreeNAS plugins, by default, have no access to files residing outside of its jail.
2) PERMISSIONS
Choose one of the 4 solutions to give your plugin write permission to your data folders.

FACTS

  • Every folder/file has a UNIX permission level, UID ownership, and GID ownership, which determines which user/group members can read/write to that folder/file. Basic UNIX permissions are described in the opening part of Chapter 4, Part 4, of the FreeBSD handbook.
  • Jails and the FreeNAS host do not share user/group databases. They only associate UIDs/GIDs to users/groups if that mapping exists in it's particular user/group database.
  • Processes running inside a jail's userland (plugins) are permitted to read/write files/folders according to the jail's user/group database.
  • By default, most plugins run as a specific user, with a specific UID, and keep their configuration/databases/logs in what I will refer to as a data-directory.
    • SERVICE - USER (UID) - DATA-DIRECTORY
    • transmission - transmission (921) - /var/db/transmission
    • sabnzbd - media (816) - /var/db/sabnzbd
    • sickbeard - media (816) - /var/db/sickbeard
    • sickrage - media (816) - /var/db/sickrage
    • sonarr - media (816) - /var/db/sonarr
    • couchpotato - media (816) - /var/db/couchpotato
    • headphones - media (816) - /var/db/headphones
    • mylar - media (816) - /var/db/mylar
    • xdm - media (816) - /var/db/xdm
    • maraschino - media (816) - /var/db/maraschino
    • htpc-manager - media (816) - /var/db/htpc-manager
    • plexmediaserver - plex (972) - /var/db/plexdata
    • emby-server - emby (983) - /var/db/emby-server
    • subsonic - media (816) - /var/db/subsonic
    • btsync - btsync (817) - /var/db/btsync
    • syncthing - syncthing (983) - /var/db/syncthing
SOLUTION 1 - USER WRITEABLE
  • Add a user in the FreeNAS WebUI with a matching UID as the plugin's default user.
  • Change ownership of the data dataset/folders to the newly added user.
SOLUTION 2 - USER WRITEABLE
  • In the jail, add a user with a matching UID as the owner of the data dataset/folders.
    • Code:
      pw useradd -n USER -u UID -d /nonexistent -s /usr/sbin/nologin
  • In the jail, change the user the plugin runs as, and change ownership of the data-directory.
    • Code:
      service PLUGIN onestop
      chown -R USER:GROUP /var/db/PLUGIN
      sysrc 'PLUGIN_user=USER'
      service PLUGIN start
SOLUTION 3 - GROUP WRITEABLE
  • Change permission of the data dataset/folders to allow group writing.
  • In the jail, add a group with a matching GID as the group owner of the data dataset/folders.
    • Code:
      pw groupadd -n GROUP -g GID
  • In the jail, add the user the plugin runs as to the newly added group.
    • Code:
      pw groupmod GROUP -m USER
SOLUTION 4 - OTHER WRITEABLE
  • Change permission of the data dataset/folder to allow other writing.


Can you help me out with solution 3? I just broke both plex and transmission plugins after changing the permissions on the datasets to 770, previously 755 I think. I thought since they are all in the same group it wouldn't matter and I thought group write would fix my transmission having permission denied, but I didnt realize that the group has to be set in the jail as well.

After no luck messing with permissions, including 777 on the datasets, I decided to start fresh and deleted both jails.

I want both plugins to work with group permissions.

My media is located on a dataset called "VeNASflytrap" with user= root (0) and group= VeNASflytrap_users (1001) permissions 770
My Jails are on a dataset called "NASssd" with user= root (0) and group= VeNASflytrap_users (1001) permissions 770

I started with plex reinstall but when I go to create storage for it it says "The path '/mnt/NASssd/ssdjails' requires execute permission bit"
so I think I need to set the owner gid inside the jail to 1001 so that it gets execute permission from the group. right?

For the plex jail storage I use /mnt/VeNASflytrap/VeNASflytrap/Mdata with it mounted at /media
But I can't set this until I allow other execute.

I ran the code in solution 3 and I think I changed the group. I'm not sure if I changing the group properly or who actually owns the jail, I think it's root...
I couldn't figure out the directory for plex to check, # ls -l /var/db/??????

If I allow other execute on my /mnt/NASssd and run ls -l / | grep media
I get :
root@plexmediaserver_1:/ # ls -l / | grep media
drwxrwxr-x+ 6 1001 VeNASflytrap_users 6 May 26 14:39 media
 
Last edited:

Jr922

Explorer
Joined
Apr 22, 2016
Messages
58
ok I also got this:
root@plexmediaserver_1:/ # ls -l
total 108
-rwxrwx--x 2 root VeNASflytrap_users 966 Mar 24 22:11 .cshrc
drwxrwx--x 2 root VeNASflytrap_users 4 Jun 2 16:54 .plugins
-rwxrwx--x 2 root VeNASflytrap_users 254 Mar 24 22:11 .profile
-rwxrwx--x 1 root VeNASflytrap_users 6197 Mar 24 22:11 COPYRIGHT
drwxrwx--x 2 root VeNASflytrap_users 47 Mar 24 22:10 bin
drwxrwx--x 8 root VeNASflytrap_users 50 Mar 24 22:11 boot
drwxrwx--x 14 root VeNASflytrap_users 512 Jun 2 17:25 dev
drwxrwx--x 23 root VeNASflytrap_users 107 Jun 2 17:20 etc
drwxrwx--x 3 root VeNASflytrap_users 52 Mar 24 22:10 lib
drwxrwx--x 3 root VeNASflytrap_users 5 Mar 30 19:26 libexec
drwxrwxr-x+ 6 1001 VeNASflytrap_users 6 May 26 14:39 media
drwxrwx--x 2 root VeNASflytrap_users 2 Mar 24 22:10 mnt
dr-xr-xr-x 1 root wheel 0 Jun 2 18:09 proc
drwxrwx--x 2 root VeNASflytrap_users 146 Mar 24 22:10 rescue
drwxrwx--x 2 root VeNASflytrap_users 7 Jun 2 17:25 root
drwxrwx--x 2 root VeNASflytrap_users 132 Mar 24 22:11 sbin
lrwxrwx--x 1 root VeNASflytrap_users 11 Mar 24 22:11 sys -> usr/src/sys
drwxrwx--x 6 root VeNASflytrap_users 6 Jun 2 17:20 tmp
drwxrwx--x 15 root VeNASflytrap_users 15 Jun 2 16:54 usr
drwxrwx--x 25 root VeNASflytrap_users 25 Jun 2 17:20 var
 

omstauf

Cadet
Joined
Jun 4, 2016
Messages
7
Sorry for first post here. I'm not new to Linux, and ran FreeBSD last with version 4.8, however I'm new to ZFS and FreeNAS.

I've searched and from what I can gather, seemed like everything should work yet doesn't. I thought Transmission would be the easiest to setup, and started here, several days ago...

FreeNAS 9.10 Stable, Main Pool (Internal), Main Dataset (/Main), Download Dataset (/Main/Downloads), Jails. All are Unix Permissions, Main Dataset is a CIFS share.

Now if I gather correctly, the main goal is to have the Plugins on the same UID/GID as the destination directory. If this is correct, then I'm lost as it should work.

Download dataset (source in jail storage) and /downloads (jail storage) both have the same me:smbd yet I continue to get permission denied errors when it wants to write.

Transmission GUI shows /downloads as valid with free space, both file locations are permissioned out, and the plugin settings for download are 775, which should give me Owner/Group R/W/E.. I'd rather see a 766 as there's no reason for Execute, but whatever.

If I've missed anything, feel free to call me a rusty idiot, but I'm at a loss here...

Thank you
 

Jr922

Explorer
Joined
Apr 22, 2016
Messages
58
Sorry for first post here. I'm not new to Linux, and ran FreeBSD last with version 4.8, however I'm new to ZFS and FreeNAS.

I've searched and from what I can gather, seemed like everything should work yet doesn't. I thought Transmission would be the easiest to setup, and started here, several days ago...

FreeNAS 9.10 Stable, Main Pool (Internal), Main Dataset (/Main), Download Dataset (/Main/Downloads), Jails. All are Unix Permissions, Main Dataset is a CIFS share.

Now if I gather correctly, the main goal is to have the Plugins on the same UID/GID as the destination directory. If this is correct, then I'm lost as it should work.

Download dataset (source in jail storage) and /downloads (jail storage) both have the same me:smbd yet I continue to get permission denied errors when it wants to write.

Transmission GUI shows /downloads as valid with free space, both file locations are permissioned out, and the plugin settings for download are 775, which should give me Owner/Group R/W/E.. I'd rather see a 766 as there's no reason for Execute, but whatever.

If I've missed anything, feel free to call me a rusty idiot, but I'm at a loss here...

Thank you

Seems like we are having a similar issue. If you 777 /downloads does it get rid of the permission denied errors? That would rule out any problems with the plugin.
 

omstauf

Cadet
Joined
Jun 4, 2016
Messages
7
Seems like we are having a similar issue. If you 777 /downloads does it get rid of the permission denied errors? That would rule out any problems with the plugin.

Well, I just tried that and no help... I probably tried it before, but I've pulled my hair out wondering wth is wrong...
 

Jr922

Explorer
Joined
Apr 22, 2016
Messages
58
Well, I just tried that and no help... I probably tried it before, but I've pulled my hair out wondering wth is wrong...
hmm.. so 777 on the dataset that holds your downloads didn't work.
What are the permissions on the dataset where the jail resides?
I think the running process in the jail needs to be right user as well.
with the plugin on you should be able to see this with command "ps aux"
 

omstauf

Cadet
Joined
Jun 4, 2016
Messages
7
hmm.. so 777 on the dataset that holds your downloads didn't work.
What are the permissions on the dataset where the jail resides?
I think the running process in the jail needs to be right user as well.
with the plugin on you should be able to see this with command "ps aux"

Okay, so as we play loosey-goosey with everything at this point, I set the Download dataset to 777.. Well, the test file did download... The interesting part isn't that it shows the Owner as transmission, but that it shows the group correctly at smbd.. So, by that, and the fact that I have the user transmission added to group smbd, 775 should work on the Download dataset, however it doesn't...... Leaving anything at 777 isn't going to happen, that's just insane...
 
Last edited:

omstauf

Cadet
Joined
Jun 4, 2016
Messages
7
Alright... So after changing the Dataset to transmission as owner and changing it to 775, it worked just as well as 777 with whoever for O/G... Since it was working, however not how I want, I installed crashpad. That led me to another page for help on that, which actually gave me useful info on jails. Seeing now how I could easily log into the box as transmission user, I hunted down a couple things. Now, I consider this a bug or oversight or something as I now have everything working mostly how I'd like it owner/group wise. The group file inside transmissions jail is a base group file with transmission added, but it didn't show any other groups I had added, before I reinstalled it btw, and so I edited the file to add my smbd group, then added transmission to it. I reset everything how it should be, and whatcha know, it works correctly...

Keep in mind, that it still writes any new files as transmission:smbd, so it keeps itself the owner despite any inherited permissions, which again, goes against how I understood and would like it to work.

So the fix.. I'd suggest a fresh reboot.. Grab the group id number that you want to use. Open the Shell up and type:
Code:
jls
jexec # csh
cd /etc
vi group


#1 will give you a list of jails with ID numbers.
#2 # is the jail number. Now your in the shell of the plugin jail.
#3 Enter the correct directory
#4 Use VI to edit the Group file.

I'd suggest having a vi cheatsheet handy unless you already know it. Run to the bottom and add a new line, follow the format from above, add your group and it's id number, at the end, add transmission. I'd reboot again after your done fixing anything (like me) you did trying to work it out.

Code:
smbd:*:1001:transmission

that is the line I added

I'd still like and appreciate it not using transmission as owner, but using the inherited details as I think it should. At least now, I can work with everything... If anyone know how to set it to use a defined user, I'd love it.

Thanks!

p.s. Jr922, I think you should delete the jails and plugins, and start over then use what I learned and did to fix it how you want it. The jails storage should remain root:wheel or whatever they are to start with. I tried what you did once, seemed logical at the time, with changing the group in jails storage and it broke everything.. Clean slate it and start new, you'll get it how you want it now. =)
 
Last edited:

Joshua Parker Ruehlig

Hall of Famer
Joined
Dec 5, 2011
Messages
5,949
ok I also got this:
root@plexmediaserver_1:/ # ls -l
total 108
-rwxrwx--x 2 root VeNASflytrap_users 966 Mar 24 22:11 .cshrc
drwxrwx--x 2 root VeNASflytrap_users 4 Jun 2 16:54 .plugins
-rwxrwx--x 2 root VeNASflytrap_users 254 Mar 24 22:11 .profile
-rwxrwx--x 1 root VeNASflytrap_users 6197 Mar 24 22:11 COPYRIGHT
drwxrwx--x 2 root VeNASflytrap_users 47 Mar 24 22:10 bin
drwxrwx--x 8 root VeNASflytrap_users 50 Mar 24 22:11 boot
drwxrwx--x 14 root VeNASflytrap_users 512 Jun 2 17:25 dev
drwxrwx--x 23 root VeNASflytrap_users 107 Jun 2 17:20 etc
drwxrwx--x 3 root VeNASflytrap_users 52 Mar 24 22:10 lib
drwxrwx--x 3 root VeNASflytrap_users 5 Mar 30 19:26 libexec
drwxrwxr-x+ 6 1001 VeNASflytrap_users 6 May 26 14:39 media
drwxrwx--x 2 root VeNASflytrap_users 2 Mar 24 22:10 mnt
dr-xr-xr-x 1 root wheel 0 Jun 2 18:09 proc
drwxrwx--x 2 root VeNASflytrap_users 146 Mar 24 22:10 rescue
drwxrwx--x 2 root VeNASflytrap_users 7 Jun 2 17:25 root
drwxrwx--x 2 root VeNASflytrap_users 132 Mar 24 22:11 sbin
lrwxrwx--x 1 root VeNASflytrap_users 11 Mar 24 22:11 sys -> usr/src/sys
drwxrwx--x 6 root VeNASflytrap_users 6 Jun 2 17:20 tmp
drwxrwx--x 15 root VeNASflytrap_users 15 Jun 2 16:54 usr
drwxrwx--x 25 root VeNASflytrap_users 25 Jun 2 17:20 var
You changed permissions/permission levels for your jail which will probably break it. Never do this, only change permissions for the dataset containing your files. Since you want to use group writing I suggest you do the following...

* change permissions for "VeNASflytrap" dataset (not the jail / plugin dataset) to 770, with the group owner "VeNASflytrap_users"
* add the "VeNASflytrap_users" user with GID 1001 to the jail. It looks like you did this correctly based on your output, but I recommend you don't use this jail since you probably broke it, so you'll need to do this again
* add the relevant user that runs the plugin to that group in each jail. for transmission it would be "pw groupmod 1001 -m transmission"
 

Joshua Parker Ruehlig

Hall of Famer
Joined
Dec 5, 2011
Messages
5,949
Sorry for first post here. I'm not new to Linux, and ran FreeBSD last with version 4.8, however I'm new to ZFS and FreeNAS.

I've searched and from what I can gather, seemed like everything should work yet doesn't. I thought Transmission would be the easiest to setup, and started here, several days ago...

FreeNAS 9.10 Stable, Main Pool (Internal), Main Dataset (/Main), Download Dataset (/Main/Downloads), Jails. All are Unix Permissions, Main Dataset is a CIFS share.

Now if I gather correctly, the main goal is to have the Plugins on the same UID/GID as the destination directory. If this is correct, then I'm lost as it should work.

Download dataset (source in jail storage) and /downloads (jail storage) both have the same me:smbd yet I continue to get permission denied errors when it wants to write.

Transmission GUI shows /downloads as valid with free space, both file locations are permissioned out, and the plugin settings for download are 775, which should give me Owner/Group R/W/E.. I'd rather see a 766 as there's no reason for Execute, but whatever.

If I've missed anything, feel free to call me a rusty idiot, but I'm at a loss here...

Thank you
I don't think you understand what execute bit does for folders. You need that for things to be readable, if you want 775, with files being 664 that could work, you could do that with a 'chmod' on the commandline
 

Joshua Parker Ruehlig

Hall of Famer
Joined
Dec 5, 2011
Messages
5,949
Alright... So after changing the Dataset to transmission as owner and changing it to 775, it worked just as well as 777 with whoever for O/G... Since it was working, however not how I want, I installed crashpad. That led me to another page for help on that, which actually gave me useful info on jails. Seeing now how I could easily log into the box as transmission user, I hunted down a couple things. Now, I consider this a bug or oversight or something as I now have everything working mostly how I'd like it owner/group wise. The group file inside transmissions jail is a base group file with transmission added, but it didn't show any other groups I had added, before I reinstalled it btw, and so I edited the file to add my smbd group, then added transmission to it. I reset everything how it should be, and whatcha know, it works correctly...

Keep in mind, that it still writes any new files as transmission:smbd, so it keeps itself the owner despite any inherited permissions, which again, goes against how I understood and would like it to work.

So the fix.. I'd suggest a fresh reboot.. Grab the group id number that you want to use. Open the Shell up and type:
Code:
jls
jexec # csh
cd /etc
vi group


#1 will give you a list of jails with ID numbers.
#2 # is the jail number. Now your in the shell of the plugin jail.
#3 Enter the correct directory
#4 Use VI to edit the Group file.

I'd suggest having a vi cheatsheet handy unless you already know it. Run to the bottom and add a new line, follow the format from above, add your group and it's id number, at the end, add transmission. I'd reboot again after your done fixing anything (like me) you did trying to work it out.

Code:
smbd:*:1001:transmission

that is the line I added

I'd still like and appreciate it not using transmission as owner, but using the inherited details as I think it should. At least now, I can work with everything... If anyone know how to set it to use a defined user, I'd love it.

Thanks!

p.s. Jr922, I think you should delete the jails and plugins, and start over then use what I learned and did to fix it how you want it. The jails storage should remain root:wheel or whatever they are to start with. I tried what you did once, seemed logical at the time, with changing the group in jails storage and it broke everything.. Clean slate it and start new, you'll get it how you want it now. =)
you can not have transmission as the dataset owner if you follow solution 3. This requires the folder is group writable, and that the user transmission runs as, is in the group that owns the files, in the jail.

None of the permission issues you are hitting are bugs. It's just how jails and unix permissions work together. If you spend enough time banging your head against stuff like I have you figure out exactly how and why things work/don't work
 

Jr922

Explorer
Joined
Apr 22, 2016
Messages
58
Okay, so as we play loosey-goosey with everything at this point, I set the Download dataset to 777.. Well, the test file did download... The interesting part isn't that it shows the Owner as transmission, but that it shows the group correctly at smbd.. So, by that, and the fact that I have the user transmission added to group smbd, 766 should work on the Download dataset, however it doesn't...... Leaving anything at 777 isn't going to happen, that's just insane...
Well at least you know for sure its permissions now. Hopefully Josh can hel
I don't think you understand what execute bit does for folders. You need that for things to be readable, if you want 775, with files being 664 that could work, you could do that with a 'chmod' on the commandline

Thanks for the replys I will try out your post tonight with a new jail. I got plex working again with a new jail and Jails dataset 775 and media dataset 775, but I sort of gave up on tranmission for a little because it seems to break at any change and needs media write. Maybe ill mess with it in a VM so I can keep starting from scratch and deleting jails and such without effecting everything else that is working fine.
I really don't understand what the execute bit does. So on any jails dataset you need 775 because it needs to have other access? I've seen tutorials where the jails dataset is 777 nonbody:nogroup, but i didnt understand the reason behind it and I see 777 as a security issue, am I wrong?
 

Joshua Parker Ruehlig

Hall of Famer
Joined
Dec 5, 2011
Messages
5,949
Well at least you know for sure its permissions now. Hopefully Josh can hel


Thanks for the replys I will try out your post tonight with a new jail. I got plex working again with a new jail and Jails dataset 775 and media dataset 775, but I sort of gave up on tranmission for a little because it seems to break at any change and needs media write. Maybe ill mess with it in a VM so I can keep starting from scratch and deleting jails and such without effecting everything else that is working fine.
I really don't understand what the execute bit does. So on any jails dataset you need 775 because it needs to have other access? I've seen tutorials where the jails dataset is 777 nonbody:nogroup, but i didnt understand the reason behind it and I see 777 as a security issue, am I wrong?
don't change the jail dataset. please stop even thinking about it, lol. In freenas 10, I think theyre going to hide this so people can't change it for the jail, which is a freaking operating system!

execute bit comment, was at @omstauf, since he wanted to remove it. execute bit tells the OS that a folder's content can be listed. So for reading files you usually need it. But, for files it isn't needed unless it's for an application to be executed.
 

omstauf

Cadet
Joined
Jun 4, 2016
Messages
7
I don't think you understand what execute bit does for folders. You need that for things to be readable, if you want 775, with files being 664 that could work, you could do that with a 'chmod' on the commandline

Yeah, after pulling enough hair out trying to wrap my head around how jails work within the system, I just had a blank moment when I thought 766...

What I did find strange is despite setting the owner/groups for everything, transmission still refused to work until I added smbd to it's jailed groups file.

Tell me if I'm wrong here, but Dataset (me:smbd 775), transmission user in group smbd, jail /media (me:smbd 775).. To me, that should be writable by anyone part of the smbd group which includes transmission user. Yet unless I add smbd to the jailed group file it fails.
 

Jr922

Explorer
Joined
Apr 22, 2016
Messages
58
I got everything working finally for Plex and Transmission using group write and using 770 on my media dataset.

Thanks Josh for the How to and the extra help.
 

Joshua Parker Ruehlig

Hall of Famer
Joined
Dec 5, 2011
Messages
5,949
Yeah, after pulling enough hair out trying to wrap my head around how jails work within the system, I just had a blank moment when I thought 766...

What I did find strange is despite setting the owner/groups for everything, transmission still refused to work until I added smbd to it's jailed groups file.

Tell me if I'm wrong here, but Dataset (me:smbd 775), transmission user in group smbd, jail /media (me:smbd 775).. To me, that should be writable by anyone part of the smbd group which includes transmission user. Yet unless I add smbd to the jailed group file it fails.
what do you mean, add smbd to the jails group file?
if you mean, adding the smbd group in the jail, yes this should be required, otherwise transmission would !NOT! be able to be in that group. processes running in the jail only know of group that exist in their jail, so users in the jail can only belong to those groups
 
Last edited:

rogerh

Guru
Joined
Apr 18, 2014
Messages
1,111
"would *not* be able to be in that group" presumably!
 
Status
Not open for further replies.
Top