Problem with Inherit of permissions to subdirectories created by apps

[Elo]

I have a challenge to set the permission correct for my Media Dataset. The set-up is as follows

• I am running Radarr, Soanrr, Zabnzbd as Apps in TrueNas Scale
• A Media dataset is mounted under a media folder in each application offering added space and access to the Media dataset from each application
• The TruenNas system is joined to a Microsoft AD making it possible for all AD users to access the TrueNAs system
• The apps run under the user: apps and in group: apps
• The Media dataset is set up as a SMB share for external access for the network
• I want the following permissions and ownerships from Media and for all sub datasets and directories. (This is easily set up by use of the ACL editor)
• Owner: apps Group: apps (full control)
• Everyone (Read access)
• AD_user1 (Full control)
• AD_group1 (FTP read)
• AD_group2 (RD Access)
• When Sonarr/Radarr download files they are first downloaded then renamed and moved to a directory under Media. So specific directories are created with sub directories if need under this. Even if the father directory (all the way up to Media) has the right permissions and the inherit is set to ON, the resulting owner of the directories and files is apps:apps with Everyone with read rights

I AM NOT ABLE TO GET THE INHERIT TO WORK. HOW CAN I ACHIVE THIS?

 

[anodos]

1) Renaming a file in unix and windows relinks it, this doesn't cause inherited ACL info to be recalculated.
2) Depending on the application, it may also chmod files after download (or specify permissions when initially opening the file).

If issue is (1), then unfortunately, that's how almost all OSes work.
If the issue (2), then you can set the ZFS aclmode on the dataset to "RESTRICTED", which will cause the chmod attempt to fail with EPERM and depending on the application it may gracefully handle the error.

 

[Elo]

1) Renaming a file in unix and windows relinks it, this doesn't cause inherited ACL info to be recalculated.
2) Depending on the application, it may also chmod files after download (or specify permissions when initially opening the file).

Thank you for answering. I am not sure I understand your answer. The application(s) are Radarr, Sonarr and SaBnzbd. They are all installed as apps from Available Applications in Truen NAS Scale (ACL mode is set to passthrough). I therfore asume that they ar the same OS as TruseNas Scale. (By the way I have similar set up [in jails] for Truenas Core and there is not pwoblem like this). The files are created by the Apps , not only renamed or moved so why does not the inherit not work when a app creates the file in the first place. It seems the settings for the App takes presedence??? Please excuse my lack of competence on this!

If the issue (2), then you can set the ZFS aclmode on the dataset to "RESTRICTED", which will cause the chmod attempt to fail with EPERM and depending on the application it may gracefully handle the error.

One of the Apps have a oportunity to change permissions:
Permissions
Should chmod be run when files are imported/renamed?
If you're unsure what these settings do, do not alter them.

Set Permissions yes/no

chmod Folder
chmod group


This only works if the user running Radarr is the owner of the file. It's better to ensure the download client sets the permissions properly.
chmod Group

Group name or gid. Use gid for remote file systems.

This only works if the user running Radarr is the owner of the file. It's better to ensure the download client uses the same group as Radarr.

As i want one AD user to have full control and one AD user group to have only read permission I can not see how I can achive this ?

It does not seem I can add a AD user to a internal Grop?
It does not seem that I can use a AD user or group in the chmod commenad in the App as I can not find the User or group ID to use?

Am i missing something here?

 

[onlyzuul]

I have a challenge to set the permission correct for my Media Dataset. The set-up is as follows

• I am running Radarr, Soanrr, Zabnzbd as Apps in TrueNas Scale
• A Media dataset is mounted under a media folder in each application offering added space and access to the Media dataset from each application
• The TruenNas system is joined to a Microsoft AD making it possible for all AD users to access the TrueNAs system
• The apps run under the user: apps and in group: apps
• The Media dataset is set up as a SMB share for external access for the network
• I want the following permissions and ownerships from Media and for all sub datasets and directories. (This is easily set up by use of the ACL editor)
• Owner: apps Group: apps (full control)
• Everyone (Read access)
• AD_user1 (Full control)
• AD_group1 (FTP read)
• AD_group2 (RD Access)
• When Sonarr/Radarr download files they are first downloaded then renamed and moved to a directory under Media. So specific directories are created with sub directories if need under this. Even if the father directory (all the way up to Media) has the right permissions and the inherit is set to ON, the resulting owner of the directories and files is apps:apps with Everyone with read rights

I AM NOT ABLE TO GET THE INHERIT TO WORK. HOW CAN I ACHIVE THIS?

I had the same issue. Just started using Truenas scale.
I created a pool and then a couple datasets. All data created by the apps would not have any of the permissions from the parent folders. Only apps, apps, and everyone.
No matter how many times I stripped and reset the ACL it didnt fix it.
The only way that fixed it was to delete the SMB shares, delete the datasets, and recreate them, making sure that I set the new dataset as NFSv4 ACL type with Restricted ACL mode during creation.
After doing that, setting the permissions, and creating the SMB shares, it would appear its working as I would like it to.

I wonder if in the beginning, changing the ACL Mode and Type after dataset creation caused something to go out of sync with Truenas and it wasnt applying the changes correctly?

 

[void_one]

Thank you for answering. I am not sure I understand your answer. The application(s) are Radarr, Sonarr and SaBnzbd. They are all installed as apps from Available Applications in Truen NAS Scale (ACL mode is set to passthrough). I therfore asume that they ar the same OS as TruseNas Scale. (By the way I have similar set up [in jails] for Truenas Core and there is not pwoblem like this). The files are created by the Apps , not only renamed or moved so why does not the inherit not work when a app creates the file in the first place. It seems the settings for the App takes presedence??? Please excuse my lack of competence on this!

One of the Apps have a oportunity to change permissions:
Permissions
Should chmod be run when files are imported/renamed?
If you're unsure what these settings do, do not alter them.

Set Permissions yes/no

chmod Folder
chmod group


This only works if the user running Radarr is the owner of the file. It's better to ensure the download client sets the permissions properly.
chmod Group

Group name or gid. Use gid for remote file systems.

This only works if the user running Radarr is the owner of the file. It's better to ensure the download client uses the same group as Radarr.

As i want one AD user to have full control and one AD user group to have only read permission I can not see how I can achive this ?

It does not seem I can add a AD user to a internal Grop?
It does not seem that I can use a AD user or group in the chmod commenad in the App as I can not find the User or group ID to use?

Am i missing something here?

Were you able to find another solution to this? One besides deleting the entier dataset?