SOLVED Permissions Seem to be All Messed Up

[Newfoundland.Republic]

Hi Folks - I'm not sure what is going on. My FreeNAS box was running fine but a cuople of days ago I was adding a new share (SMB) - add the dataset in a pool, grant group rights to that dataset, create the actual SMB share - and things started going wrong.

The first sign was that my UniFi controller jail failed. I eventually determined that the permissions on the jail were wrong. I have a thread on that one that I marked as solved: UniFi Controller in Jail - UniFi stopped and will not start. As @dlavigne noted:

Typically mucking with perms in jails ends in unhappiness :-(

Tonight, I found that my Emby jail would not longer play any movies. The Emby libraries are actually different datasets (one for movies, TV shows and music) that have are SMB shares and are mounted to the Emby jail.

Two questions:
1. Does anyone have any idea what is going on? Was it something that I did? (I need to know so that I don't do it again!)
2. Is there any way to fix this on a global basis? (I fear the answer is "No!"...)

 

[sretalla]

If your SMB share overlaps with your jails datasets and you set permissions in the GUI when setting up the share (electing to recurseively apply), that may well have nailed permissions in the jails.

You may be able to rollback snapshots (if you have them) of the jail filesystems to recover easily, otherwise, you'll need to work out what permissions are needed and then set them with chmod or something.

 

[Newfoundland.Republic]

Thanks @sretalla. I did not use the recursive apply - I tried that when I was setting up a proof-of-concept with the expected results.

The way I set it up - under U6 - was set up the datasets for movies, TV shows and music; set up the SMB shares for each (along with groups, users-in-the-right-groups, etc.); and then set up the Emby jails (I have two - one for each VLAN that use Emby; one for trusted wired and one for trusted wireless) mounting movies, TV shows and music on (in?) each Emby jail.

Things were working fine.

Here is the host FreeNAS directories (movies and TV shows are under Movies; they are separately mounted in the jails):

Code:

drwxrwx---+   7 root     wheel        10 Oct 26 07:31 Movies
drwxrwx---+  39 root     wheel        42 Oct 13 20:16 Music

Within the jails it looks like:

Code:

drwxrwx---+  4 root  wheel   182 Dec 10 06:37 Movies
drwxrwx---+ 39 root  wheel    42 Oct 13 20:16 Music
drwxrwx---+ 11 root  wheel    16 Dec  9 21:09 TVShows

Before I start mucking with the permissions, I have some questions. I don't want to upgefuct this any more than it is.

1. I would think that the other group should have at least read (r) access. Is this correct?
2. I assume that it would be best to make the changes through the GUI rather than the command line. Correct?
3. Further to question 2, is this a case where I should use recursive?

The only other thing that slipped my mind is that I upgraded from U6 to U7 a couple of weeks ago. I've been so busy (Christmas, work and all) that the first time I had a chance to watch a movie was a couple of days ago...

All suggestions welcomed and appreciated!

Cheers!

 

[sretalla]

I would think that the other group should have at least read (r) access. Is this correct?

If you need anything other than root and members of the group wheel to get read access, but don't want anything else to own the files, yes.

What user (and UID) is your jail running as?

If you're running a downloader, you may need to think about write access too.

I assume that it would be best to make the changes through the GUI rather than the command line. Correct?

Not necessarily. Permissions in the GUI do the same thing as at CLI and don't provide any further advantages. Permissions can be overridden by CLI in any case and there's always the "apply default permissions" headache if you forget to un-tick that.

Further to question 2, is this a case where I should use recursive?

Assuming you probably want the same permissions on all Movies and TV, the Movies directory is a good starting place (chmod -R 775 ./Movies)

 

[anodos]

If Movies and TV are SMB shares, then rather than chmod 775, you should probably do the following:

Code:

setfacl -m everyone@rxaRc:fd:allow /mnt/tank/Movies
winacl -a clone -rv -p /mnt/tank/Movies

Setfacl is actually quite verisitile. Suppose you want to grant the group "smbusers" and the plex user read/write access to Movies. You can do the following:

Code:

setfacl -m g:smbusers:modify_set:fd:allow,u:972:modify_set:fd:allow /mnt/tank/Movies
winacl -a clone -rv -p /mnt/tank/Movies

 

[Newfoundland.Republic]

Okay - that makes sense. I tried chmod -R 775 ./Movies which balked with chmod: ./Movies: Operation not permitted. I suspect that is due to the SMB share.

I tried @anodos suggest with setfacl/winacl. I changed the "smbusers" to "Media" the group that users should belong to allow the uploading of movies. (My path is /mnt/Pool_1/Movies). Ther were no errors.

However, when VLC tries to access the movies, VLC cannot open the movie with the error:

Code:

Your input can't be opened:
VLC is unable to open the MRL 'http://192.168.30.252:8096/videos/16/stream.mp4?DeviceId=e842ddfcebcb7dc0ed5e439a00258820&MediaSourceId=b46ebb68deec2268d310614640fa5215&Static=true&PlaySessionId=10d0ae2e1045ccfc6e5778645b3b47f1'. Check the log for details.

Any more suggestions?

 

[anodos]

What is output of getfacl /mnt/Pool_1/ and getfacl /mnt/Pool_1/Movies?

 

[Newfoundland.Republic]

Hi @anodos -

The exact commands run:

Code:

setfacl -m g:Media:modify_set:fd:allow,u:972:modify_set:fd:allow /mnt/Pool_1/Movies
winacl -a clone -rv -p /mnt/Pool_1/Movies

Here are the outputs:

Code:

getfacl /mnt/Pool_1
# file: /mnt/Pool_1
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:--------------:fd-----:allow

Code:

getfacl /mnt/Pool_1/Movies
# file: /mnt/Pool_1/Movies
# owner: root
# group: wheel
       group:Media:rwxpDdaARWc--s:fd-----:allow
          user:972:rwxpDdaARWc--s:fd-----:allow
            owner@:rwxpDdaARWcCos:fd----I:allow
            group@:rwxpDdaARWcCos:fd----I:allow
         everyone@:--------------:fd----I:allow

The OS permissions are:

Code:

drwxrwx---+   7 root     wheel        10 Oct 26 07:31 Movies

If I try chmod -R 775 ./Movies it fails with:
chmod: ./Movies: Operation not permitted

 

[anodos]

Run the following commands:

Code:

setfacl -b /mnt/Pool_1
chmod 775 /mnt/Pool_1

 

[Newfoundland.Republic]

The permissions on the jails are:

Code:

drwxr-xr-x   4 root  wheel   7 Dec 27 09:37 emby
drwxr-xr-x   4 root  wheel   7 Dec 27 09:37 emby_2

Can I assume that the jails run under the UID/GID?

 

[Newfoundland.Republic]

Run the following commands:

Code:

setfacl -b /mnt/Pool_1
chmod 775 /mnt/Pool_1

Command run. No errors on the command line.

VLC to Emby still reporting that it cannot open the input file.

 

[anodos]

Command run. No errors on the command line.

VLC to Emby still reporting that it cannot open the input file.

You'll need to perform more basic tests. First check access for your user to share over SMB. Check status of Emby plugin. Is it running (you should see it in output of iocage list). If the plugin appears to be working correctly, then you'll need to probably add an ACL granting access to the emby user. I think it's probably 989, but you should verify. Assuming it's 989, then you can add an ACL for that user:

Code:

setfacl -m u:989:modify_set:fd:allow /mnt/Pool_1/Movies
winacl -a clone -rv -p /mnt/Pool_1/Movies

You can use iocage exec to find the id of the emby users. Here's an example from one of my build jails:

Code:

fn12# iocage exec S411_12-dev "id smbuser"
uid=1002(smbuser) gid=1002(smbuser) groups=1002(smbuser)

 

[Newfoundland.Republic]

You'll need to perform more basic tests. First check access for your user to share over SMB. Check status of Emby plugin. Is it running (you should see it in output of iocage list). If the plugin appears to be working correctly, then you'll need to probably add an ACL granting access to the emby user. I think it's probably 989, but you should verify. Assuming it's 989, then you can add an ACL for that user:

Code:

setfacl -m u:989:modify_set:fd:allow /mnt/Pool_1/Movies
winacl -a clone -rv -p /mnt/Pool_1/Movies

You can use iocage exec to find the id of the emby users. Here's an example from one of my build jails:

Code:

fn12# iocage exec S411_12-dev "id smbuser"
uid=1002(smbuser) gid=1002(smbuser) groups=1002(smbuser)

Code:

iocage list
+-----+------------------+-------+--------------+----------------+
| JID |       NAME       | STATE |   RELEASE    |      IP4       |
+=====+==================+=======+==============+================+
| 7   | UniFi Controller | up    | 11.2-RELEASE | 192.168.20.172 |
+-----+------------------+-------+--------------+----------------+
| 14  | emby             | up    | 11.2-RELEASE | 192.168.30.252 |
+-----+------------------+-------+--------------+----------------+
| 13  | emby_2           | up    | 11.2-RELEASE | 192.168.25.252 |
+-----+------------------+-------+--------------+----------------+

It appears that Emby is running as root:

Code:

iocage exec emby "id root"
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

iocage exec emby_2 "id root"
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

When I look at the jail's config (cat /mnt/Pool_1/iocage/jails/emby/config.json), I find: "exec_jail_user": "root"

Should I run the setfacl with u:0?

 

[Newfoundland.Republic]

BTW, the "Unifi Controller" jail is working fine...

 

[anodos]

Code:

iocage list
+-----+------------------+-------+--------------+----------------+
| JID |       NAME       | STATE |   RELEASE    |      IP4       |
+=====+==================+=======+==============+================+
| 7   | UniFi Controller | up    | 11.2-RELEASE | 192.168.20.172 |
+-----+------------------+-------+--------------+----------------+
| 14  | emby             | up    | 11.2-RELEASE | 192.168.30.252 |
+-----+------------------+-------+--------------+----------------+
| 13  | emby_2           | up    | 11.2-RELEASE | 192.168.25.252 |
+-----+------------------+-------+--------------+----------------+

It appears that Emby is running as root:

Code:

iocage exec emby "id root"
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

iocage exec emby_2 "id root"
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

When I look at the jail's config (cat /mnt/Pool_1/iocage/jails/emby/config.json), I find: "exec_jail_user": "root"

Should I run the setfacl with u:0?

No. Emby is probably not running as root. The correct way to do this would be to

Code:

iocage exec emby "id emby"

Assuming that the user for emby is "emby".

 

[Newfoundland.Republic]

Thanks! Maybe I'm not too old of a dog to learn some new tricks :)

iocage exec emby "id emby" uid=989(emby) gid=989(emby) groups=989(emby)

I ran both
setfacl -m u:989:modify_set:fd:allow /mnt/Pool_1/Movies winacl -a clone -rv -p /mnt/Pool_1/Movies

There were no errors.

AND IT WORKED! :)(But not for Music... I think that I can figure that one out Figured out)

A big THANK YOU @anodos. Happy New Year to you and yours!