I noticed something interesting - I installed SYNCTHING under APPS menu, the pod is successfully created and run. The wizard asks for syncthing user id, which I changed to a number that corresponds to user id of user syncthing which I created as truenas user. The wizard also asks for mount points. I mounted a (host) /pool/dataset to a (pod) /var/syncthing/dataset. The dataset has several ACLs defined. Root is owner of everything, various users have various levels of access. Syncthing has read access. I then launched pod's bash through TrueNAS UI and noticed I can create/modify/delete stuff in mounted path. Through whoami I found the shell runs as root and it occurred to me that because root in pod has uid of 0 (same as root in truenas), it probably operates under identical rights - hence in bash I can modify/delete data in mount points that I only intended to be read-only.
In TrueNAS Core, I can set mount points as read-only. In TrueNAS SCALE, I can't.
So 1) am I correct that this is quite risky to have pod having write/modify access to all of the data and 2) how do I go about to isolate the pod to really only have read-only access?
In TrueNAS Core, I can set mount points as read-only. In TrueNAS SCALE, I can't.
So 1) am I correct that this is quite risky to have pod having write/modify access to all of the data and 2) how do I go about to isolate the pod to really only have read-only access?