Plugin user

[Halfe]

Hi.

Is there a way to force a plugins to use another UID or GID.

Especially Couchpotato and Sickbeard

 

[cyberjock]

Sure. How you'd do that is going to be a totally different question and will be based solely on how the version of your plugin works.

To be blunt, if you are using a plugin because you can't do the same thing in a jail, your going to have difficulties figuring out how to change the UID/GID.

 

[Halfe]

Reason i ask is because i have access to another server that i can edit and add files on but with diffrent UID and GID

so i have mounted NFS shares in freeNAS that have the same UID and GID as my user on the other FreeNAS server (located on a diffrent location over VPN) Tested RW access and it works directly on FreeNAS, so i have made a user in JAIL with the same UID, GID so that it have RW access to those files

Only problem is that i dunno how to login to that user in the Jail to test it. also i want to make Couchpotato and Sickbeard to use the same GID UID. that user should have wheel rights to.

 

[CyrilP]

Depends on how you installed CP/SB, but if basically you can do the following:

In your jail,

Create a use with adduser

Username : media
Password : <blank>
Full Name : Media
Uid : 1001
Class :
Groups : media
Home : /home/media
Home Mode :
Shell : /bin/tcsh
Locked : no
id media
​

Give this user the same uid than the owner of the files in your dataset.

For CP/SB here is what I do:

cd /usr/ports/news/sabnzbdplus && make config-recursive && make install clean
cd /usr/local && mkdir sabnzbd
chown -R media:media sabnzbd
echo 'sabnzbd_enable="YES"' >> /etc/rc.conf
echo 'sabnzbd_user="media"' >> /etc/rc.conf
echo 'sabnzbd_group="media"' >> /etc/rc.conf​

cd /usr/local && git clone git://github.com/RuudBurger/CouchPotatoServer.git
chown -R media:media CouchPotatoServer
cp /usr/local/CouchPotatoServer/init/freebsd /usr/local/etc/rc.d/couchpotato
chmod +x /usr/local/etc/rc.d/couchpotato
echo 'couchpotato_enable="YES"' >> /etc/rc.conf
echo 'couchpotato_user="media"' >> /etc/rc.conf​

And you're done.

 

[Joshua Parker Ruehlig]

@CyrilP This isn't using the plugins like @Halfe was asking, but many of the steps you include are valid.

If you are using the the Sickbeard or Couchpotato plugins...
Create the user in the SB/CP jail.

Code:

pw adduser -n USER -u UID -d /nonexistent -s /usr/sbin/nologin

Stop the plugin if it is started, change the ownership of the plugin's data-directory, and change the user the plugin runs as.

Code:

service PLUGIN onestop
chown -R USER:GROUP /var/db/PLUGIN
sysrc 'PLUGIN_user=USER'
service PLUGIN start

 

[rogerh]

Is it a good idea to run a plugin as a user with login and sudo rights?

 

[Joshua Parker Ruehlig]

Is it a good idea to run a plugin as a user with login and sudo rights?

Can you explain the context of your question? The user has login in what way, SSH, FreeNAS WebUI, CIFS? sudo right in the FreeNAS userland or the jail userland?

 

[rogerh]

Can you explain the context of your question? The user has login in what way, SSH, FreeNAS WebUI, CIFS? sudo right in the FreeNAS userland or the jail userland?

In the jail presumably. Maybe it's harmless, but it gives the application a lot of privileges. And possibly on the 'other server' mentioned that has the same user. Happy to be advised if you think it is safe within a jail.

 

[Joshua Parker Ruehlig]

In the jail presumably. Maybe it's harmless, but it gives the application a lot of privileges. And possibly on the 'other server' mentioned that has the same user. Happy to be advised if you think it is safe within a jail.

If the service user has sudo privileges in the jail it pretty much has free reign over the jail. Any files in there are read/writeable by the application.
This doesn't matter for the other server, it can only do as much as the protocol (in this case NFS) could allow on the other server.

I don't see it as a gigantic security hole but I don't see much of a reason to do this either.

 

[Halfe]

Managed to login to JAIL with the created user and tried to edit the remote server from inside jail.

Code:

halfe@jail_1:/mnt/Media/Share/1 % mkdir 2
mkdir: 2: Permission denied

wanna try to have the same user with same password to se if that works

 

[Joshua Parker Ruehlig]

Managed to login to JAIL with the created user and tried to edit the remote server from inside jail.

Code:

halfe@jail_1:/mnt/Media/Share/1 % mkdir 2
mkdir: 2: Permission denied

wanna try to have the same user with same password to se if that works

Password won't matter that only affects authentication locally.
Can you show the output of 'ls -l' for those directories. I have a feeling your issue is more on the NFS level.

 

[Halfe]

Output in FreeNAS where i have RW access this is with my own user with "su"

Code:

[halfe@FreeNAS] /mnt/MEDIA2/Downloads/Share/1/Filmer# ls -l
total 3
drwxrwxr-x  3 root  KODI  3 Feb  1 23:47 ./
drwxrwxr-x  4 root  KODI  4 Nov  7 21:26 ../
drwxr-xr-x  2 halfe  KODI  2 Feb  1 23:47 1/

Output with my own user in Jail

Code:

halfe@jail_1:/mnt/Media/Share/1/Filmer % ls -l
total 1
drwxr-xr-x  2 halfe  1009  2 Feb  1 23:47 1
halfe@jail_1:/mnt/Media/Share/1/Filmer %

its the same output with root user in Jail

 

[Joshua Parker Ruehlig]

Output in FreeNAS where i have RW access this is with my own user with "su"

Code:

[halfe@FreeNAS] /mnt/MEDIA2/Downloads/Share/1/Filmer# ls -l
total 3
drwxrwxr-x  3 root  KODI  3 Feb  1 23:47 ./
drwxrwxr-x  4 root  KODI  4 Nov  7 21:26 ../
drwxr-xr-x  2 halfe  KODI  2 Feb  1 23:47 1/

Output with my own user in Jail

Code:

halfe@jail_1:/mnt/Media/Share/1/Filmer % ls -l
total 1
drwxr-xr-x  2 halfe  1009  2 Feb  1 23:47 1
halfe@jail_1:/mnt/Media/Share/1/Filmer %

its the same output with root user in Jail

so your issue is you can't write to that folder? your Filmer folder isn't other writable so halfe needs to be in the KODI group in whatever userland it's running in.

apply one of the 4 solutions here https://forums.freenas.org/index.ph...plugins-write-permissions-to-your-data.27273/

 

[Halfe]

having trouble with starting the plugin afterwards

Code:

root@jail_1:/ # service sickbeard onestop
sickbeard not running? (check /var/run/sickbeard/sickbeard.pid).
root@jail_1:/ # chown -R Lars:Lars /var/db/sickbeard
root@jail_1:/ # sysrc sickbeard_user=Lars
sickbeard_user:  -> Lars
root@jail_1:/ # service sickbeard start
Starting sickbeard.
PID dir: /var/run/sickbeard must be writable (write permissions). Exiting.
/usr/local/etc/rc.d/sickbeard: WARNING: failed to start sickbeard

 

[Joshua Parker Ruehlig]

having trouble with starting the plugin afterwards

Code:

root@jail_1:/ # service sickbeard onestop
sickbeard not running? (check /var/run/sickbeard/sickbeard.pid).
root@jail_1:/ # chown -R Lars:Lars /var/db/sickbeard
root@jail_1:/ # sysrc sickbeard_user=Lars
sickbeard_user:  -> Lars
root@jail_1:/ # service sickbeard start
Starting sickbeard.
PID dir: /var/run/sickbeard must be writable (write permissions). Exiting.
/usr/local/etc/rc.d/sickbeard: WARNING: failed to start sickbeard

I forgot some of these rely on a pidfile directory. change the ownership of /var/run/sickbeard as well.

 

[Halfe]

So ive done

Code:

Lars@jail_1:/mnt/Media/Share/1/Serier/share_folder % ls -l
total 95
drwxrwxr-x  2 root  1009  27 Apr  8  2014 Season 1
drwxrwxr-x  2 root  1009   7 Jun 17  2014 Season 11
drwxrwxr-x  2 root  1009  26 May 11  2013 Season 2
drwxrwxr-x  2 root  1009  24 May 11  2013 Season 3
drwxrwxr-x  2 root  1009  26 May 11  2013 Season 4
drwxrwxr-x  2 root  1009  21 May 11  2013 Season 5
drwxrwxr-x  2 root  1009  27 Apr  8  2014 Season 6
drwxrwxr-x  2 root  1009  25 May 11  2013 Season 7
drwxrwxr-x  2 root  1009  18 May 11  2013 Season 8
drwxrwxr-x  2 root  1009   7 May 21  2014 extrafanart
Lars@jail_1:/mnt/Media/Share/1/Serier/share_folder % mkdir test
Lars@jail_1:/mnt/Media/Share/1/Serier/share_folder % ls
Season 1        Season 3        Season 6        extrafanart
Season 11       Season 4        Season 7        test
Season 2        Season 5        Season 8

sucessfully edited user in sickbeard

Code:

root@jail_1:/ # service sickbeard onestop
Stopping sickbeard.
Waiting for PIDS: 13021.
root@jail_1:/ # chown -R Lars:Lars /var/db/sickbeard/
root@jail_1:/ # chown -R Lars:Lars /var/run/sickbeard
sickbeard/                 sickbeard_fcgi_server.pid
root@jail_1:/ # chown -R Lars:Lars /var/run/sickbeard
root@jail_1:/ # sysrc 'sickbeard_user=Lars'
sickbeard_user:  -> Lars
root@jail_1:/ # service sickbeard start
Starting sickbeard.

Dunno why Sickbeard still dont have edit rights

 

[Joshua Parker Ruehlig]

you created the Lars user in the jail but it looks like you didn't make it UID 1009 like your FreeNAS host has.

if you read the thread I linked it I mention that user-UID aren't necessarily the same between the host and jail.

 

[Halfe]

haha. nice. thanks. all i needed was the right UID :D

 

[Joshua Parker Ruehlig]

haha. nice. thanks. all i needed was the right UID :D

NP, permissions always gotta cause some type of issue, lol

 

[Halfe]

My Brother have 4 storages and have 1 group per storage. So ive tried to make 3 new groups adding them into the first user. It looked like it worked. using
ex.

Code:

pw groupadd -n Media2 -g 1010 -M halfe

-M is adding user halfe into that group.

so far sickbeard is working on moving existing files and making folders on the rest of the storages