Ruined Permissions to Jail - Applied Permissions Recursively - Can no longer launch Jail Shell

wc49358

Cadet
Joined
Feb 17, 2021
Messages
3
Load Jail Shell.jpg

Had some issues with a user permission on a folder on root. I'm very new to this and Applied Permissions recursively without thinking of the consequences.
Now, I can no longer start the Jail shell (This is a nextcloud jail) through TrueNAS. I can still access the smb shares and all files with the user but TrueNas (I'm assuming root) can no longer login?

I'm not sure if I have the correct verbage for a search as I'm seeing issues with people adjusting plugins and matching IDs form TrueNAS to the internal Jail users but I can't even get into the shell.

To get things up and running, i created another jail (Nextcloud) to do what I need to do but the settings and some information on the broken permission jail would be ideal to have.

I did some comparison of the broken jail and the working jail to see if I can fix the error and possibly get nextcloudweb jail up and running again.
Jail Owner permission comparison.jpg

I have limited knowledge of FreeBSD / Linux so I have been searching for commands to help me understand. So looking at Jails saw that they were different so I search around and found this command to change permissions:
setfacl -m owner@:rwxpaARWcCos:allow /mnt/....

setfacl -m group@:rxaRcs:allow /mnt/.....

setfacl -m everyone@:rxaRcs:allow /mnt/....

I did the adjustments to match the working jail but that didnt' seem to work after restarting the jail. (I tried enabling all permissions for owner/group/everyone)

Looking deeper into each folder, I noticed the root folder for the working jail and broken one are very different:
Difference in permissions on root.jpg

I'm not sure of a command that will change these permissions or if there command to change all files within the folder directory.
Even if I do find a way, not sure if that would fix the issue (worth a shot though)

Also reading though the posts, I saw alot of making sure your UID/GID should match with the internal Jail IDs. Just to make sure I checked the ID of the truenas and then used the jexec (Jail#) tcsh and checked the ID of the jail.

IDs.jpg


They seem to match, so I'm assuming that is not the problem.

I have no snapshot of the jail before the changes (yeah I'm new at this).

Any guidance/thoughts on how to recover from this permission change is greatly welcomed. I have limited knowledge (only to what I find on searches), so telling me to CHROOM something without that exact reference of the correct syntax is problematic (I see tutorials on docker/CentOS but the command slightly different and I get errors).

thank you in advance for any help.

P.S.
If it is just not salvageable, is there a way to transfer the files/configurations of the NextCloud to a new Jail?
 

SweetAndLow

Sweet'NASty
Joined
Nov 6, 2013
Messages
6,421
Rebuild the jail is really the only option. Maybe you can roll back a snapshot?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
Rebuild the jail is really the only option. Maybe you can roll back a snapshot?
If there's a snapshot of the jail before permissions got borked, I wrote a small tool that can restore the ACL from snapshot without having to do a full rollback. winacl -a restore -s path/to/dataset/.zfs/snapshot/<snapshot_name>/<relative path> -p restoration_target Key thing is to make sure that the paths are the same. _experimental_

That said, this tool is really a thing of last resort and should be used carefully. I wrote it mostly as a way to quickly recover if an intern decides to recursively mess up permissions on a production share, you have good snapshots, and need to get back into production ASAP.
 

wc49358

Cadet
Joined
Feb 17, 2021
Messages
3
If there's a snapshot of the jail before permissions got borked, I wrote a small tool that can restore the ACL from snapshot without having to do a full rollback. winacl -a restore -s path/to/dataset/.zfs/snapshot/<snapshot_name>/<relative path> -p restoration_target Key thing is to make sure that the paths are the same. _experimental_

That said, this tool is really a thing of last resort and should be used carefully. I wrote it mostly as a way to quickly recover if an intern decides to recursively mess up permissions on a production share, you have good snapshots, and need to get back into production ASAP.
unfortunately there is not snapshot of that jail. everything would have to be manually redone OR if there is a way to transfer nextcloud configs/files to new jail
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
One other option that might be worth trying depending on unix familiarity is to create a new jail with nextcloud, then create an mtree spec of its filesystem and apply it to your broken one. Can't guarantee it'll work. For that matter, the "winacl -a restore" command can in principal do the same (specifying the source (-s) as the new nextcloud jail and the target (-p) as the old broken one).
 
Top