Permissions - explain them to me like I'm 5

[nimuie]

Hi Folks,

I recently got myself a new server running TrueNAS Scale and started working on migrating my stuff over from Synology.
Nothing really worked out of the box be it for old guides or me having no clue what I am doing but for better or worse I have a zpool created, and it has some datasets inside.
Now I noticed some weird behavior (probably intended) and I'd like to understand how I can fix permissions on all my files.

Breakdown of the situation:
I noticed that while being able to connect via SMB to a dataset using "user1" and being allowed to create edit move delete folders/files I can't access anything that that "user1" has not created like folders created by root or files downloaded by qbittorrent (user: apps).

Now I am not exactly sure what the logic behind linux ACLs is, but all I want to do is create a user that has access to everything. and I mean everything.
My original plan was to simply use root for everything - it seemed to make my life easier but then I saw many saying that for some reason using root is a big nono. I don't really get that but I think it's a moot point given that I can't seem to be able to login via SMB using root.

Here's what I tried:
adding "apps" and "root" groups to "user1" as auxiliary groups
making "user1" the owner of the entire dataset
giving "user1" read write execute rights to the dataset
giving "user1_group" read write execute rights to the dataset
making "user1_group" the owner of the dataset (didn't work and broke qbittorrent, fun times)
making all the above changes and ticking the "apply recursively" box
deleting the share and starting fresh

I should probably note that simply giving "user1" rwe permissions didn't even let me save. I dug around and apparently for some reason I first need to add a "mask", give it the permissions my "user1" needs and then configure "user1"...

long story short, I have no clue how all of this works and I am out of ideas

If one of you has the patience to guide me through this I'd really appreciate it

 

[NASbox]

It's really hard to guide you with the amount of information available, but I can offer a couple of suggestions:
1. Do NOT use root - especially if you don't know what you are doing - even an experienced user can trash a system with a typo!
2. You should be able to create a single user (user1), with group (user1), and recursively change the permissions to RWX on all directories and RW on all files on the datasets in your data pool.

Your qbittorrent, and other plugins will all be running with their own user/group id. Whatever pool they are using for their data should be owned by that user/group with RW(X for directories only) permissions. You then make user1 a member of that group so that it can read/write the files in those directories. It's dangerous to make files (especially torrent files) executable as it is possible that a bad actor could upload / execute something bad if they find a vulnerability in your setup.

Hope that's of some help.

 

[nimuie]

Thanks for getting back to me.
I deleted everything and started from scratch testing after each change. Essentially I didn't do much different from my first try but this time around I made it work. I added user1 to the root and apps group to make sure it has access to files create by root / apps. I don't plan to use root to create files anymore so that should also be solved.

There is something I don't yet understand. Giving or removing RWE permissions is easy on a dataset (I can do that via the UI) but I don't understand how I could restrict Execute for example on file level. Can that be done in the UI?

 

[anodos]

Thanks for getting back to me.
I deleted everything and started from scratch testing after each change. Essentially I didn't do much different from my first try but this time around I made it work. I added user1 to the root and apps group to make sure it has access to files create by root / apps. I don't plan to use root to create files anymore so that should also be solved.

There is something I don't yet understand. Giving or removing RWE permissions is easy on a dataset (I can do that via the UI) but I don't understand how I could restrict Execute for example on file level. Can that be done in the UI?

If you're using NFSv4 ACLs, there is an advanced inherit option to choose to only have the ACL entry inherit on directories. Each entry in the ACL has its own inheritance behavior.

 

[anodos]

That said, if the dataset should be non-executable application data, then you could probably just set the ZFS dataset to be noexec. This prevents execution in case of permissions misconfiguration and is generally preferable way to control these things.

 

[nimuie]

Hey! thanks for the explanation. Was busy with work and this kinda took the back seat for a while.

Now, I can't claim that I really understand how ACLs work - far from it - but for better or worse at least my default user1 can use the storage on the server. not sure exactly what I did but between adding user1 to the ACL and adding user 1 to root and apps groups something made it work.

Now, looking around I found a weird thing again that I really don't understand - maybe you have an idea.

I've been playing around with VMs - WIn10 11, linux in a few flavours and it started bugging me that all .iso filed were all over the smb share. I created a folder, moved them there and thought nothing of it. Now, when trying to add another VM I tell it where the .iso is (location: zpool/dataset/user_created_folder) and it tells me that libvirt-qemu doesn't ahve access to that. all work obviously if I leave the .iso 1 level above.
I went to settings and added libvirt-qemu again, marked the "Apply permissions recursively" checkbox but that didn't solve a thing.

Ahh and I use POSIX ACLs not NFSv4. no reason for this really was just the default. have nothing against changing tbh if NFSv4 is easier to use or better