markhsa

Hello all, I am hoping someone can help me here. I submitted two tickets for getting my paid key updated as my Unraid USB drive died. I read that 24-72 hours is typical or response, but this has been a week now. Are there issues with support? Delays? This system is down until this if fixed and I really dont think its right to buy a new key when I have paid once already. Thanks all. Hopefully someone can shed some light here. The automated "move key" functionality is giving me a 404 error.

Linux VM.

I have an issue with a VM in Unraid I have setup as a server and its a bit critical that it is up and running in a very powerful server. (Java app with database that VM server cant handle due to system specs..) So I need to make VM into a physical running machine. VM -> actual disk to boot from. Its a work machine, and its critical. So help really appreciated. ( I posted in General as well, I hope thats ok as this is urgent.... ) sorry if its not ok..... So how can I move a VM to Physical hardware in the easiest way? I have the disk device as a raw disk on NVME ( Linux machine ) /dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_1TB_S59ANG0MA14014A-part4 I have shut down the VM, taken a dd to image of that partition, and now need to take that to physical. Can I mount that Virtio into a mount point any copy files off perhaps? Or is there a smarter way to do this? How to take a virtio image to Physical disk? Many thanks!!!!

I have an issue with a VM in Unraid I have setup as a server and its a bit critical that it is up and running in a very powerful server. So how can I move a VM to Physical hardware in the easiest way? I have the disk device as a raw disk on NVME ( Linux machine ) /dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_1TB_S59ANG0MA14014A-part4 I have shut down the VM, taken a dd to image of that partition, and now need to take that to physical. Can I mount that Virtio into a mount point any copy files off perhaps? Or is there a smarter way to do this? How to take a virtio image to Physical disk? Thanks all. This is for a work project so its really critical..... Many thanks!!!!

Hello, I have a running VM on a raw device (nvme) working perfectly. Now, I have enabled iptables on the OS on it (Ubuntu 19.10) and enabled port 443, but forgot to add any other ports! So now I am fully locked out of the running machine. VNC is also not responding from the icon in VMS on the Unraid GUI. Any ideas on how to fix this? I thought maybe shut the machine down, manually mount the drive, then disable iptables or add a rule to the actual config file? But I cant mount it either.... Device Start End Sectors Size Type /dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_1TB_S59ANG0MA14014A-part1-part1 2048 1050623 1048576 512M EFI System /dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_1TB_S59ANG0MA14014A-part1-part2 1050624 209713151 208662528 99.5G Linux filesystem root@Tower:~# fsck -N /dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_1TB_S59ANG0MA14014A-part1 fsck from util-linux 2.34 [/sbin/fsck.ext2 (1) -- /dev/nvme1n1p1] fsck.ext2 /dev/nvme1n1p1 Manual mount: root@Tower:~# mount /dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_1TB_S59ANG0MA14014A-part1 /mnt/stub/ mount: /mnt/stub: wrong fs type, bad option, bad superblock on /dev/nvme1n1p1, missing codepage or helper program, or other error. Ideas??? Here is a link to a pic on how I add the raw disk. I assume "Manual" and "VirtIO" are the best options on this by the way? Screen capture of VM config from Unraid GUI

Thanks for that. I will look at a bit external drive via USB. Can you elaborate on emu-img and virsh and what that means for snapshots?

Hello all, I am looking for a full backup solution (hopefully a plugin but cant find one in the list) I have a 6TB backup USB drive and want an automated backup scheduled. I would like to backup the entire UNRAID machine as much as I can. VM's (now what I would love on this is SNAPSHOT ability for running VM's. That would be amazing!!). Does that exist? Is there a plugin to do this? Or what is a better way? Thanks all for the help on this one. My Unraid server is becoming more and more used and important to me, so its pretty important to backup and re-backup my stuff.

Thanks for the followup. A few things on this. 1) its unfortunate that you cant use an Unraid server as a Linux terminal host as well. 2) A VM suffers from this security issue as well. ie. root on Unraid can see all VM file data. Results from /mnt/disk* ( rather than /mnt/user ) The behavior is as expected ( correct ) in the /mnt/disk* location. The cat command on a file, that a user does not have permission to, is NOT allowed. Permission denied. This is because the mount options are different: mark@Tuna:/mnt$ mount |grep disk1 /dev/md1 on /mnt/disk1 type xfs (rw,noatime,nodiratime) mark@Tuna:/mnt$ mount |grep user shfs on /mnt/user0 type fuse.shfs (rw,nosuid,nodev,noatime,allow_other) shfs on /mnt/user type fuse.shfs (rw,nosuid,nodev,noatime,allow_other) The fuse.shfs is the one that has the security issue. My question would be...... As /mnt/user is the aggregated listing of all /mnt/disk* , why is the security different? It seems that /mnt/user is a vitrual user space file system. Thats OK, however, VM's and docker etc... are advised to use the /mnt/user directory correct? This direction is likely a problem due to this. Any thoughts on this welcome so that I can understand how to use this better and what the purpose of of the /mnt/user virtual FS is? Thanks, Mark

I am going to summarize my own post and I have found the issue. Please correct me where I am wrong here. SUMMARY: I would consider this a huge security issue in UnRaid. Do not put any confidential or secure files on UnRaid if you are in the audience below. ( or if you are security aware in my opinion ) AUDIENCE: -Anyone running a VM ( Linux, Windows etc.. ) -Anyone with a docker -Anyone that has access to the UnRaid webgui and the terminal option ( everyone ) -Anyone that has a local user created on the UnRaid server ISSUE: If you have dockers or VM's created, OR have any potential local access to your UNRaid server ( terminal from the unraid GUI for instance ) then all files in the /mnt/user ( default ) directory have open permissions. Anyone can read/write/delete For me, this would prevent me from putting any secure/confidential files on an unraid directory. Its true, I also have a local user created on my UNRaid server. I am an old Unix/Linux guy, so I assumed that UnRaid is a secure server for login. This NON-PRIVILEGED local user has access to all UnRaid directory files. Very dangerous in my humble opinion. So, for local users, and dockers, and VM's ( Plex for instance ) created on UnRaid, your files are wide open for all users to read/write/delete. Yes, you can specify that Plex be read-only, but I bet most users are not aware of this need. VM's ( Linux, Windows etc... ) would have to be considered open and insecure as ANY of the VW files are free to read by anyone with an UnRaid console, or any user that can login to the UnRaid server. CAUSE: The UnRaid mount is done with an option called allow_other. This negates security completely on the main /mnt/user mount. If you execute this on command line: mount |grep /mnt/user You will see this below. shfs on /mnt/user0 type fuse.shfs (rw,nosuid,nodev,noatime,allow_other) shfs on /mnt/user type fuse.shfs (rw,nosuid,nodev,noatime,allow_other) I am not aware of an option in UnRaid to change this behavior. If someone here is aware of this option to change this default behavior, please let me know.

So I suspect this is the problem. I wonder if you all have this mount option on /mnt/user as well? I will test this, but I think this is the mount option that is allowing this and causing this security problem: root@Tuna:/mnt/user# mount |grep /mnt/user shfs on /mnt/user type fuse.shfs (rw,nosuid,nodev,noatime,allow_other) allow_other is a mount option on this that opens up the security to all. Very dangerous. From a google: allow_other This option overrides the security measure restricting file access to the user mounting the filesystem. So all users (including root) can access the files. This option is by default only allowed to root, but this restriction can be removed with a configuration option described in the previous section. Any thoughts on why UnRaid would use such a gaping security hole?

I cant see how permissions could be ignored in any *nix OS. But that is what is happening. The problem comes when you have dockers, or VM's that use this file system. That means that you cant control read/write reliably or have any security there. I cant believe that Unraid could have this type of security flaw. Something else must be wrong?

I have done this. Results below. It is a valid user. It really looks like permissions are being ignored on this unraid mount. mark@Tuna:/$ id uid=1002(mark) gid=1002(mark) groups=1002(mark),7(lp),11(floppy),17(audio),18(video),19(cdrom),93(scanner) mark@Tuna:/$

In what possible scenario could you cat a file, with no permissions, in the above example and be allowed with ANY directory permissions? If you know something I dont on permissions, I am open to learn. So please let me know.

Here is another example of how this is broken. Full output below. 1) root creates a file called outputfile with content in it. 2) root chmod the file 400 ( no one can read this file other than root ) 3) user "mark" cats the file, it can be read. Permissions on Unraid share are being ignored. root@Tuna:~# cd /mnt/user root@Tuna:/mnt/user# echo "test file content" > outputfile root@Tuna:/mnt/user# cat outputfile test file content root@Tuna:/mnt/user# chmod 400 outputfile root@Tuna:/mnt/user# ls -al outputfile -r-------- 1 root root 18 Dec 23 10:53 outputfile root@Tuna:/mnt/user# su - mark No directory, logging in with HOME=/ mark@Tuna:/$ cd /mnt/user mark@Tuna:/mnt/user$ ls -al outputfile -r-------- 1 root root 18 Dec 23 10:53 outputfile mark@Tuna:/mnt/user$ cat outputfile test file content mark@Tuna:/mnt/user$

OK, so there is an issue. How can a file: -That is owned by root:root -Permissions are 444 ( rrr ) be deleted by a non root user? "mark" in this case. The example in the first post in this issue. No matter where the file exists, no matter what the directory permissions are, this should not be possible in *nix. Let me know if this is incorrect. This is what is happening on an MD device created by UnRaid. This is the problem I am seeing.

OK, so can you answer this please? Is there any user file security for local files or for local files that are used by dockers? Dockers dont use the network controlled access you mention. I understand that SMB is an access method that is used when network share access is used, but with VM's, Dockers, and just general physical access to a server in play, is there really no security? If this is the case, I hope anyone that has anything on their FS know this. Very dangerous. Please let me know. If this is the case, I need to remove any security conscious files ASAP and I suspect others would too. I use Unraid for quite a bit of data, so I really need a thorough answer here please. If there really is no security unless network SMB/NFS etc. is used, I need to pursue this with the UnRaid DEV team. How do I do this? Again, I would be so surprised if this type of security hole really exists. Thanks for the time on this. Its an important question I feel, so please involve devs or others that may have information as well to get a complete answer.

OK, so any docker image has file system access just like a local user would. As they dont use network file system security, how are docker apps secured then? It sounds like you are saying that in the Unraid file system, permissions are not controled ( only external Network share access ). Is this correct? I would be very surprised at this. This would mean an unbelievable security issue for any Unraid server for many reasons. Any local user or exploit would have access to all Unraid share files with no restriction. This would also mean that any docker app would have this same lack of permission control as well....... Are you sure on this? The disks that make the Unraid share are XFS, with BRTFS on the actual shares themsleves correct? How can there not be security under that? Unraid must support security beyond what the network file share does. Or am I incorrect and Unraid really has this flaw? Thanks for the help.

That still makes no sense to me. Here is what started all this. I installed Plex an Emby. So that neither could delete files even if they wanted, I set the files for them to read only. I found that the apps could still delete files though. How can I prevent this and protect files if I cant chmod 444 them? What I am asking, I guess, is does Unraid still have standard permissions control? I use this as an unraid server, however, no *nix OS can have this. How is this heppening? Are unraid drives not protected as all linux devices/directories are? Or could I have something setup incorrectly? Thanks, Mark

SEE SUMMARY HERE: Any non root user is being allowed to delete any file under /mnt/user This is when the file permissions are 444 on that file!? /mnt/user is an array of 4 disks. Nothing fancy here. Example: in /mnt/user mark@Tuna:/mnt/user$ ls -al testfile -r--r--r-- 1 root root 0 Dec 22 20:18 testfile Then.... mark@Tuna:/mnt/user$ rm -rf testfile mark@Tuna:/mnt/user$ ls -al testfile /bin/ls: cannot access 'testfile': No such file or directory Its gone. As user mark, I can rm -rf this file? In /tmp Linux permissions are working as expected. How can this unraid array have this happening? Is there some special permissions in Unraid that allow ignoring of standard Linux permissions on filesystems? Very confused. Any ideas?

UnRAID is taking my best video card I want for a Windows VM MSI 990FXA Gaming board with 12 cores, and 3 PCI-e slots ( 16x, 4x, and 16x speed ) I have a linux VM on the bottom 16x Nvidia card and that works perfectly. The GT660 card is plugged into the top 16x slot, but the unRAID console takes that, and when I try to create a VM to use that card, it errors. I see nothing in the bios to control which card to boot from, and it seems to prefer video out ( default ) to the first 16x slot. Is there anyway to fix this? I don't want to put the best GTX660 card in a 4x slot. Ideas?

In the list of disks, Parity, then down the list, I may have it in the list. Should I be removing it from that list so that it shows up as a /dev/sdx If so, then how to I configure the VM to be able to see that disk? Getting closer to a solution I think. Let me know what you think. Thanks much

Thanks. It is not part of an array. Just a disk that is free and not in use. It shows up as /dev/disk3 Under the VM, in advanced mode, under second disk, it shows up as an option , but I don't see it in the running VM after I start it. Thoughts on how I can get this done? detailed help really appreciated! Mark

Hello, A question about your Unassigned Devices Plugin. I am trying to add a disk ( not in an array ) to an existing Linux VM. Would this plugin allow that? Essentially, I setup a Linux VM, with a 120 Gig drive. Now need to add more space and be able to see it in Linux ( fdisk etc ) a a raw disk to be formatted. I am not looking for a network share drive, NFS, or anything like that. I am looking for a direct connection from the hardware disk, to the existing VM. Hopefully your plugin does that. If you could comment, that would be great. Appreciated. Mark

Hello, I am in a bit of a pinch to get this working. I have a single 3TB drive waiting to be added to an existing VW ( Linux VM ) and cannot figure out how to do this. It shows up as disk3 ( /mnt/disk3 ) I can put this in the advanced setting on the VW, but I can never see it in the running VM with fdisk I must be missing something. Thoughts or assistance? Thanks