Anne Posted August 23, 2018 Share Posted August 23, 2018 (edited) I would like to create a user group but cannot find anything about user groups or creating them Seems like everything on my system is either "users" or "root" So I tried to chown the directory ,, all it did was change the user from "nobody" to ???? and told me there was no group by the name I tried to use. thanks Anne [SOLVED] ADDED NextCloud and used it as my file server UNRAID really should upgrade to "User Groups" ! Edited September 30, 2018 by Anne [SOLVED] Quote Link to comment
trurl Posted August 23, 2018 Share Posted August 23, 2018 What are you trying to accomplish exactly? unRAID isn't really designed to be a multi-user Linux OS. The users you can create in the webUI are only for file access over the network with SMB / NFS / AFP. And webUI / ssh / console is only for root. Quote Link to comment
Anne Posted August 23, 2018 Author Share Posted August 23, 2018 Hi Trurl, My goal is security. I am trying to create a user group to assign users "x, y, and z" for the purpose of restricting said group to specified disk(s), directory(s) or file(s). It appears to me at this point that unraid allows restrictions per user of a "share" and quite easily I might add, but I need to restrict users per "group" or some similar function . As far as I know the only way to accomplish this is via "user groups". Quote Link to comment
trurl Posted August 23, 2018 Share Posted August 23, 2018 There is no grouping functionality for SMB / NFS / AFP users. You will have to set each user up individually. Do you really have that many users? Quote Link to comment
Anne Posted August 23, 2018 Author Share Posted August 23, 2018 Hi Trurl, No I do not have that many users, in fact I will probably have less than 15 when I am finished,, however... as an example.. If I have users x, y, and z I have a share called TEST with all my FILES arranged by category (directory) ie., A, B, and C under TEST Tower/TEST/A/Files.xx Tower/TEST/B/Files.yy Tower/TEST/C/Files.zz and I want user x to have access to share TEST and category A,B,and C I want user y to have access to share TEST and category B and C but not A I want user z to have access to share TEST but only to category A This is a simple process when using user groups. Are you saying I have to make each category (directory), A, B, and C, a unique share to be able to control individual user access to A, B, and C ? Right now I have at least 175 categories under a single share.. ie., TEST. That would mean I would have 3 or 4 thousand shares by the time I get finished loading files to the server. Quote Link to comment
itimpi Posted August 23, 2018 Share Posted August 23, 2018 There will be problems doing things the way you want as on unRAID the security is by user, and is at the Share Level - not subfolders of the Share. Quote Link to comment
Anne Posted August 23, 2018 Author Share Posted August 23, 2018 Hi itimpi, Thanks for the input, however it seems the alternative is thousands of "shares" which would also be a nightmare in creating unique meaningful share names There surely is a way to add user group functions to unraid Quote Link to comment
itimpi Posted August 23, 2018 Share Posted August 23, 2018 8 minutes ago, Anne said: Hi itimpi, Thanks for the input, however it seems the alternative is thousands of "shares" which would also be a nightmare in creating unique meaningful share names There surely is a way to add user group functions to unraid Although unRAID is based on Linux, this will not easily done without a lot of command line work. You have to work out how to get this to be handled correctly at both the share (samba) and Linux levels. It might be possible by manipulating the permissions at the Linux Level on the folders to stop users without appropriate permission being able to get into folders but there is no built-in support for this so you would be on your own in getting it working. Also since unRAID runs from RAM and is loaded ‘fresh’ each time you boot the system you then have to do additional work to reinstate into RAM the files (e.g. etc/groups) needed to maintain the groups. Since unRAID’s primary market seems to be home users there has not been much demand for such capability. You could consider raising a feature request for such a capability to be added but I have no idea if it would be considered something Limetech would want to put in the effort to implement, and if they did what the timescales might be. Quote Link to comment
John_M Posted August 23, 2018 Share Posted August 23, 2018 I haven't fully thought this idea through or done any testing but suppose you were to create a user share that contains your preferred folder structure but don't actually enable sharing on it. Then create a user share for each user (x, y, z in your example) that contains symlinks to the actual files you want that particular user to be able to access. I'm not sure whether it would work and I'm happy for someone to shoot the idea down in flames. It seems your problem needs a bit of lateral thought so I'm just making a suggestion. Quote Link to comment
Anne Posted August 23, 2018 Author Share Posted August 23, 2018 Hi John_M, Thanks for the thought, however that would entail duplicate files. as in file abc.xx needing to be available for each permitted users share if I understand your thought correctly Quote Link to comment
John_M Posted August 23, 2018 Share Posted August 23, 2018 (edited) Not duplicate files, just symlinks. So /mnt/user/x would contain folders symlinks to folders A -> /mnt/user/TEST/A B -> /mnt/user/TEST/B C -> /mnt/user/TEST/C And /mnt/user/y would contain folders symlinks to folders B -> /mnt/user/TEST/B C -> /mnt/user/TEST/C And /mnt/user/z would contain folder symlink to folder A -> /mnt/user/TEST/A Edited August 23, 2018 by John_M They are actually symlinks, not folders Quote Link to comment
John_M Posted August 23, 2018 Share Posted August 23, 2018 The actual files would only be present in the subfolders of the TEST user share, which would not be accessible directly, or accessible only by the administrator user - you. Quote Link to comment
Anne Posted August 23, 2018 Author Share Posted August 23, 2018 2 minutes ago, John_M said: Not duplicate files, just symlinks. So /mnt/user/x would contain folders A -> /mnt/user/TEST/A B -> /mnt/user/TEST/B C -> /mnt/user/TEST/C And /mnt/user/y would contain folders B -> /mnt/user/TEST/B C -> /mnt/user/TEST/C And /mnt/user/z would contain folder A -> /mnt/user/test/A I will give that a try.. It will be a lot of work considering I now have 68 shares and and each share has an average of 100 directories with each directory with an average of 25 sub directories and I am only about one third finished with loading data to the server Quote Link to comment
John_M Posted August 23, 2018 Share Posted August 23, 2018 (edited) I would check the viability of my suggestion before loading any more data. It might not work at all and there might not be a workable solution, in which case you will have wasted your effort. Try it on a small set of users and files, like the example you give in your OP. If it works then yes, it will take a lot of effort. What protocol are you planning to use? If NFS it would be worth checking to see if it can handle group permissions - you certainly can't do it if you're using SMB or AFP - but even if so you'd need to edit the /etc/group file manually. My use of NFS is very simplistic so I can't say for sure. Edited August 23, 2018 by John_M It's /etc/group not /etc/groups Quote Link to comment
Anne Posted August 23, 2018 Author Share Posted August 23, 2018 9 minutes ago, John_M said: I would check the viability of my suggestion before loading any more data. It might not work at all and there might not be a workable solution, in which case you will have wasted your effort. Try it on a small set of users and files, like the example you give in your OP. If it works then yes, it will take a lot of effort. What protocol are you planning to use? If NFS it would be worth checking to see if it can handle group permissions - you certainly can't do it if you're using SMB or AFP - but even if so you'd need to edit the /etc/groups file manually. My use of NFS is very simplistic so I can't say for sure. My prior server had "user groups" built in and access to the data was smb or nfs. The server was linux based as is unraid. The use of groups made permissions down to the file level an easy task. I do not seem to be able to change either the user or the group in unraid. Quote Link to comment
John_M Posted August 23, 2018 Share Posted August 23, 2018 The root filesystem is unpacked into RAM each time unRAID boots so any manual changes you make to files such as /etc/passwd or /etc/group will be lost on a re-boot. You can add users via the GUI and, naturally, such changes do survive a re-boot. However, there's no GUI option to add groups, as you've discovered. The permissions on files within user shares are very lax in unRAID - typically 777 - but that will work in your favour (assuming my suggestion proves to be viable) in that your set of users (x, y, z) will not be refused access on the grounds of permissions. I'm not sure why you have 68 shares when, by my reckoning, you only need one per user (around 15, you said) plus the one you've called TEST. Quote Link to comment
John_M Posted August 23, 2018 Share Posted August 23, 2018 Did your previous server software meet your needs? There must be some reason for you to make the change to unRAID and invest a lot of effort into copying that many files over. This surprises me a little. If I were in your place I would have been asking these questions in advance, in order to find out if unRAID is really suited to my needs. It seems like you jumped early and are now looking for a kludge to make it work - believe me, that's what my suggestion is. It might well be that another solution would be better for you, so it's a shame we didn't have this discussion before you committed. Quote Link to comment
Anne Posted August 23, 2018 Author Share Posted August 23, 2018 2 hours ago, John_M said: Did your previous server software meet your needs? There must be some reason for you to make the change to unRAID and invest a lot of effort into copying that many files over. This surprises me a little. If I were in your place I would have been asking these questions in advance, in order to find out if unRAID is really suited to my needs. It seems like you jumped early and are now looking for a kludge to make it work - believe me, that's what my suggestion is. It might well be that another solution would be better for you, so it's a shame we didn't have this discussion before you committed. No, it was restricted to an 8TB array size, and FTP was inadequate at best and it had no capabilities for hosting a website. Plex, Emby and software like that is not available. And I did ask a lot of questions. I was told my solution to FTP was Owncloud or Nextcloud, and that I could host my own web site on unraid and Plex or Emby would take care of the media. I have not even finished loading software for Plex but already I like it. I am having problems with Nextcloud but that is on hold until I figure a way to arrange files that will allow me more flexibility with security, thus the problem I have with no user groups. Unraid seems to be working well for me until I encountered this problem of groups Just to say where I am going with all this... My primary usage will be that of a NAS File Server, then website server, then the Plex goodies, I hope that helps you understand what I am trying to do Quote Link to comment
Delarius Posted August 23, 2018 Share Posted August 23, 2018 I don't know if unRAID is the solution for this. I think if I was required to make something work, it would be in using a few techniques - all of which would have to be run from on boot from the 'go' file and then setup cron jobs. I won't get into details as I haven't experimented with this, but I think it could be possible (although very kludgy and apt to break on updates.) First I'd put some items into the /boot/config/go file: - define the group(s) and memberships - so issue some form of the groupadd command (need to create users before this.) - define the base permissions - essentially I'd remove all access from a shares for all users - add the access permissions back using as many iterations as necessary - setfacl -m g:groupname:rwx /mnt/disk1/myshare/mydirectory (or similar - unRAID does support ACLs) - be sure to also set the default acls - so something like setfacl -m d:g:groupname:rwx /mnt/disk1/myshare/mydirectory - add something to the root crontab at /var/spool/root/cron to check the permissions on a regular basis - you might also need to modify your smb.conf - I'd probably modify it live - restart samba and test - then copy that file to /boot/config/mysmb.conf and copy it over with the go script, then restart samba It think it would be possible to do what you want, but somewhat challenging and I think because of how unRaid shares work there might be many pitfalls with this approach. However, I think using standard POSIX permission/ownership it might be tricky to make this happen - mostly because the shares seem to always use the nobody user and that could be a problem. I have noted that acls do work as expected. However - do remember if you use acls, you need to be very careful about your use of chmod. Specifically adjusting the group permissions with chmod will also adjust the 'mask' and restrict the acls you've already applied, which is somewhat non intuitive. Another solution would be to run a Linux VM with access to a share(s) and have that VM share out the filespace and apply it's own permissions. Regardless, I think if you wanted a challenge, you've got one. Good luck, Del Quote Link to comment
Anne Posted August 23, 2018 Author Share Posted August 23, 2018 41 minutes ago, John_M said: -> /mnt/user/TEST/A 4 hours ago, John_M said: Not duplicate files, just symlinks. So /mnt/user/x would contain folders symlinks to folders A -> /mnt/user/TEST/A B -> /mnt/user/TEST/B C -> /mnt/user/TEST/C And /mnt/user/y would contain folders symlinks to folders B -> /mnt/user/TEST/B C -> /mnt/user/TEST/C And /mnt/user/z would contain folder symlink to folder A -> /mnt/user/TEST/A High John_M, Yes it works, however without some form of automation in the selection of what link paths to attribute to a specific user, it would take hours and hours and wear out my kybd. but for my purpose I think it would be a maintenance nightmare, unless I can script something that just asks what location to link to what user or what link location to remove from a user..... Thanks for the idea.. and the script does the work... hmmmm Quote Link to comment
John_M Posted August 23, 2018 Share Posted August 23, 2018 Thanks for confirming that, in theory at least, it works. Sorry that it's not a practical solution though. Maybe this approach would be worth trying instead: 4 hours ago, Delarius said: Another solution would be to run a Linux VM with access to a share(s) and have that VM share out the filespace and apply it's own permissions. Quote Link to comment
Anne Posted August 24, 2018 Author Share Posted August 24, 2018 13 minutes ago, John_M said: Thanks for confirming that, in theory at least, it works. Sorry that it's not a practical solution though. Maybe this approach would be worth trying instead: Thanks, but I would rather stay with a docker app if there might be one, for a solution.. Do not want to go off in too many directions. Quote Link to comment
pwm Posted August 25, 2018 Share Posted August 25, 2018 On 8/23/2018 at 5:22 PM, itimpi said: Although unRAID is based on Linux, this will not easily done without a lot of command line work. You have to work out how to get this to be handled correctly at both the share (samba) and Linux levels I have manually (i.e. on command line) made use of group rights and it works well. Quote Link to comment
itimpi Posted August 25, 2018 Share Posted August 25, 2018 20 minutes ago, pwm said: I have manually (i.e. on command line) made use of group rights and it works well. Good to hear! Have you copied the files that get altered (e.g /etc/groups) to the flash drive, and then added entries into the ‘go’ file to copy them back into position during the boot process? This is needed as unRAID is running from RAM so you need to take positive action to make such changes survive a reboot. Perhaps at the end you could create a brief ‘How To’ post in case anyone else has similar needs in the future? Quote Link to comment
pwm Posted August 25, 2018 Share Posted August 25, 2018 1 minute ago, itimpi said: Good to hear! Have you copied the files that get altered (e.g /etc/groups) to the flash drive, and then added entries into the ‘go’ file to copy them back into position during the boot process? This is needed as unRAID is running from RAM so you need to take positive action to make such changes survive a reboot. Perhaps at the end you could create a brief ‘How To’ post in case anyone else has similar needs in the future? Yes, I'm a bit sad that the groups file isn't represented in /boot/config like the other files. So the machine needs to recreate custom groups and assign users to them on boot (the 'go' file), like this: root@n54l-3:/etc# groupadd -g 1101 pwm_test root@n54l-3:/etc# usermod -a -G pwm_test fs_cesium root@n54l-3:/etc# tail -1 group pwm_test:x:1101:fs_cesium And it's obviously important to reuse the same group ID on every boot - and use an ID that isn't likely to collide with future unRAID versions. root@n54l-3:/mnt/disk2# ls -l /mnt/disk2/radium/ total 0 drwxrws--- 2 root pwm_test 112 Jun 28 00:07 test/ -rwxrwx--- 1 fs_cesium pwm_test 0 Aug 25 12:27 test-pwm_test* root@n54l-3:/mnt/disk2# ls -l /mnt/user/radium total 0 drwxrws--- 1 root pwm_test 112 Jun 28 00:07 test/ -rwxrwx--- 1 fs_cesium pwm_test 0 Aug 25 12:27 test-pwm_test* And I like to have: chmod 2770 <dirname> so new content created in the directory will inherit the group instead of getting the main group from the account adding the content. 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.