[SOLVED] how do you create a user group


Anne

Recommended Posts

I would like to create a user group but cannot find anything about user groups or creating them

Seems like everything on my system is either "users" or "root"

So I tried to chown the directory ,, all it did was change the user from "nobody" to ???? and

told me there was no group by the name I tried to use.

thanks

Anne

[SOLVED] ADDED NextCloud and used it as my file server

UNRAID really should upgrade to "User Groups" !

 

Edited by Anne
[SOLVED]
Link to comment

Hi Trurl,

My goal is security. I am trying to create a user group to assign users "x, y, and z" for the purpose of restricting said group to specified disk(s), directory(s) or file(s).

It appears to me at this point that unraid allows restrictions per user of a "share" and quite easily I might add, but I need to restrict users per "group" or some similar function .

As far as I know the only way to accomplish this is via "user groups".

Link to comment

Hi Trurl,

No I do not have that many users, in fact I will probably have less than 15 when I am finished,,  however... as an example.. If

I have users x, y, and z

I have a share called  TEST  with all my FILES arranged by category (directory) ie., A, B, and C under TEST

Tower/TEST/A/Files.xx

Tower/TEST/B/Files.yy

Tower/TEST/C/Files.zz

and I want user x to have access to share TEST and category A,B,and C

I want user y to have access to share TEST and category B and C but not A

I want user z to have access to share TEST but only to category A

This is a simple process when using user groups.

Are you saying I have to make each category (directory),  A, B, and C,  a unique share to be able to control individual user access to  A, B, and C ?

Right now I have at least 175 categories under a single share.. ie., TEST.

That would mean I would have 3 or 4 thousand shares by the time I get finished loading files to the server.

 

Link to comment
8 minutes ago, Anne said:

Hi itimpi,

 

Thanks for the input, however it seems the alternative is thousands of "shares" which would also be a nightmare in creating unique meaningful share names

There surely is a way to add user group functions to unraid

Although unRAID is based on Linux, this will not easily done without a lot of command line work.   You have to work out how to get this to be handled correctly at both the share (samba) and Linux levels.    It might be possible by manipulating the permissions at the Linux Level on the folders to stop users without appropriate permission being able to get into folders but there is no built-in support for this so you would be on your own in getting it working.    Also since unRAID runs from RAM and is loaded ‘fresh’ each time you boot the system you then have to do additional work to reinstate into RAM the files (e.g. etc/groups) needed to maintain the groups.

 

Since unRAID’s primary market seems to be home users there has not been much demand for such capability.   You could consider raising a feature request for such a capability to be added but I have no idea if it would be considered something Limetech would want to put in the effort to implement, and if they did what the timescales might be.

Link to comment

I haven't fully thought this idea through or done any testing but suppose you were to create a user share that contains your preferred folder structure but don't actually enable sharing on it. Then create a user share for each user (x, y, z in your example) that contains symlinks to the actual files you want that particular user to be able to access. I'm not sure whether it would work and I'm happy for someone to shoot the idea down in flames. It seems your problem needs a bit of lateral thought so I'm just making a suggestion.

 

Link to comment

Not duplicate files, just symlinks.

 

So /mnt/user/x would contain folders symlinks to folders

 

    A -> /mnt/user/TEST/A

    B -> /mnt/user/TEST/B

    C -> /mnt/user/TEST/C

 

And /mnt/user/y would contain folders symlinks to folders

 

    B -> /mnt/user/TEST/B

    C -> /mnt/user/TEST/C

 

And /mnt/user/z would contain folder symlink to folder

 

   A -> /mnt/user/TEST/A

 

 

Edited by John_M
They are actually symlinks, not folders
Link to comment
2 minutes ago, John_M said:

Not duplicate files, just symlinks.

 

So /mnt/user/x would contain folders

 

    A -> /mnt/user/TEST/A

    B -> /mnt/user/TEST/B

    C -> /mnt/user/TEST/C

 

And /mnt/user/y would contain folders

 

    B -> /mnt/user/TEST/B

    C -> /mnt/user/TEST/C

 

And /mnt/user/z would contain folder

 

   A -> /mnt/user/test/A

I will give that a try.. It will be a lot of work considering I now have 68 shares and  and each share has an average of 100 directories with each directory with an average of 25 sub directories and I am only about one third finished with loading data to the server

Link to comment

I would check the viability of my suggestion before loading any more data. It might not work at all and there might not be a workable solution, in which case you will have wasted your effort. Try it on a small set of users and files, like the example you give in your OP. If it works then yes, it will take a lot of effort. What protocol are you planning to use? If NFS it would be worth checking to see if it can handle group permissions - you certainly can't do it if you're using SMB or AFP - but even if so you'd need to edit the /etc/group file manually. My use of NFS is very simplistic so I can't say for sure.

 

Edited by John_M
It's /etc/group not /etc/groups
Link to comment
9 minutes ago, John_M said:

I would check the viability of my suggestion before loading any more data. It might not work at all and there might not be a workable solution, in which case you will have wasted your effort. Try it on a small set of users and files, like the example you give in your OP. If it works then yes, it will take a lot of effort. What protocol are you planning to use? If NFS it would be worth checking to see if it can handle group permissions - you certainly can't do it if you're using SMB or AFP - but even if so you'd need to edit the /etc/groups file manually. My use of NFS is very simplistic so I can't say for sure.

My prior server had "user groups"  built in and access to the data was smb or nfs. The server was linux based as is unraid. The use of groups made permissions down to the file level an easy task. I do not seem to be able to change either the user or the group in unraid.

Link to comment

The root filesystem is unpacked into RAM each time unRAID boots so any manual changes you make to files such as /etc/passwd or /etc/group will be lost on a re-boot. You can add users via the GUI and, naturally, such changes do survive a re-boot. However, there's no GUI option to add groups, as you've discovered.

 

The permissions on files within user shares are very lax in unRAID - typically 777 - but that will work in your favour (assuming my suggestion proves to be viable) in that your set of users (x, y, z) will not be refused access on the grounds of permissions.

 

I'm not sure why you have 68 shares when, by my reckoning, you only need one per user (around 15, you said) plus the one you've called TEST.

Link to comment

Did your previous server software meet your needs? There must be some reason for you to make the change to unRAID and invest a lot of effort into copying that many files over. This surprises me a little. If I were in your place I would have been asking these questions in advance, in order to find out if unRAID is really suited to my needs. It seems like you jumped early and are now looking for a kludge to make it work - believe me, that's what my suggestion is. It might well be that another solution would be better for you, so it's a shame we didn't have this discussion before you committed.

Link to comment
2 hours ago, John_M said:

Did your previous server software meet your needs? There must be some reason for you to make the change to unRAID and invest a lot of effort into copying that many files over. This surprises me a little. If I were in your place I would have been asking these questions in advance, in order to find out if unRAID is really suited to my needs. It seems like you jumped early and are now looking for a kludge to make it work - believe me, that's what my suggestion is. It might well be that another solution would be better for you, so it's a shame we didn't have this discussion before you committed.

No,  it was restricted to an 8TB  array size, and FTP was inadequate at best and it had no capabilities for hosting a website. Plex, Emby and software like that is not available. And I did ask a lot of questions. I was told my solution to  FTP was Owncloud or  Nextcloud,  and that I could host  my own web site on unraid and Plex or Emby would take care of the media.

I have not even finished loading software for Plex but already I like it. I am having problems with Nextcloud but that is on hold until I figure a way to arrange files that will allow me more flexibility with security, thus the problem I have with no user groups.

Unraid seems to be working well for me until I encountered this  problem of groups

Just to say where I am going with all this...

My primary usage will be that of a NAS File Server, then website server, then the Plex goodies,

I hope that helps you understand what I am trying to do

Link to comment

I don't know if unRAID is the solution for this. I think if I was required to make something work, it would be in using a few techniques - all of which would have to be run from on boot from the 'go' file and then setup cron jobs.

I won't get into details as I haven't experimented with this, but I think it could be possible (although very kludgy and apt to break on updates.)

First I'd put some items into the /boot/config/go file:

- define the group(s) and memberships - so issue some form of the groupadd command (need to create users before this.)

- define the base permissions - essentially I'd remove all access from a shares for all users

- add the access permissions back using as many iterations as necessary - setfacl -m g:groupname:rwx /mnt/disk1/myshare/mydirectory (or similar - unRAID does support ACLs)

- be sure to also set the default acls - so something like setfacl -m d:g:groupname:rwx /mnt/disk1/myshare/mydirectory

- add something to the root crontab at /var/spool/root/cron to check the permissions on a regular basis

- you might also need to modify your smb.conf - I'd probably modify it live - restart samba and test - then copy that file to /boot/config/mysmb.conf and copy it over with the go script, then restart samba

 

It think it would be possible to do what you want, but somewhat challenging and I think because of how unRaid shares work there might be many pitfalls with this approach. However, I think using standard POSIX permission/ownership it might be tricky to make this happen - mostly because the shares seem to always use the nobody user and that could be a problem. I have noted that acls do work as expected. However - do remember if you use acls, you need to be very careful about your use of chmod. Specifically adjusting the group permissions with chmod will also adjust the 'mask' and restrict the acls you've already applied, which is somewhat non intuitive.

Another solution would be to run a Linux VM with access to a share(s) and have that VM share out the filespace and apply it's own permissions.

Regardless, I think if you wanted a challenge, you've got one.

 

Good luck,

Del

Link to comment
41 minutes ago, John_M said:

-> /mnt/user/TEST/A

 

4 hours ago, John_M said:

Not duplicate files, just symlinks.

 

So /mnt/user/x would contain folders symlinks to folders

 

    A -> /mnt/user/TEST/A 

    B -> /mnt/user/TEST/B

    C -> /mnt/user/TEST/C

 

And /mnt/user/y would contain folders symlinks to folders

 

    B -> /mnt/user/TEST/B

    C -> /mnt/user/TEST/C

 

And /mnt/user/z would contain folder symlink to folder

 

   A -> /mnt/user/TEST/A

 

 

High John_M,

Yes it works, however without some form of automation in the selection of what  link paths to attribute to a specific user, it would take hours and hours and wear out my kybd.

but for my purpose I think it would be a maintenance nightmare,  unless I can script something that just asks what location to link  to what user or what link location  to remove from a user.....

Thanks for the idea..

and the script does the work... hmmmm

Link to comment

Thanks for confirming that, in theory at least, it works. Sorry that it's not a practical solution though.

 

Maybe this approach would be worth trying instead:

 

4 hours ago, Delarius said:

Another solution would be to run a Linux VM with access to a share(s) and have that VM share out the filespace and apply it's own permissions.

 

Link to comment
13 minutes ago, John_M said:

Thanks for confirming that, in theory at least, it works. Sorry that it's not a practical solution though.

 

Maybe this approach would be worth trying instead:

 

 

Thanks, but I would rather stay with a docker app if there might be one,  for a solution.. Do not want to go off in too many directions.

Link to comment
On 8/23/2018 at 5:22 PM, itimpi said:

Although unRAID is based on Linux, this will not easily done without a lot of command line work.   You have to work out how to get this to be handled correctly at both the share (samba) and Linux levels


I have manually (i.e. on command line) made use of group rights and it works well.

Link to comment
20 minutes ago, pwm said:


I have manually (i.e. on command line) made use of group rights and it works well.

Good to hear!

 

Have you copied the files that get altered (e.g /etc/groups) to the flash drive, and then added entries into the ‘go’ file to copy them back into position during the boot process?    This is needed as unRAID is running from RAM so you need to take positive action to make such changes survive a reboot.

 

Perhaps at the end you could create a brief ‘How To’ post in case anyone else has similar needs in the future?

Link to comment
1 minute ago, itimpi said:

Good to hear!

 

Have you copied the files that get altered (e.g /etc/groups) to the flash drive, and then added entries into the ‘go’ file to copy them back into position during the boot process?    This is needed as unRAID is running from RAM so you need to take positive action to make such changes survive a reboot.

 

Perhaps at the end you could create a brief ‘How To’ post in case anyone else has similar needs in the future?


Yes, I'm a bit sad that the groups file isn't represented in /boot/config like the other files.

 

So the machine needs to recreate custom groups and assign users to them on boot (the 'go' file), like this:

root@n54l-3:/etc# groupadd -g 1101 pwm_test

root@n54l-3:/etc# usermod -a -G pwm_test fs_cesium

root@n54l-3:/etc# tail -1 group
pwm_test:x:1101:fs_cesium

And it's obviously important to reuse the same group ID on every boot - and use an ID that isn't likely to collide with future unRAID versions.

root@n54l-3:/mnt/disk2# ls -l /mnt/disk2/radium/
total 0
drwxrws--- 2 root      pwm_test 112 Jun 28 00:07 test/
-rwxrwx--- 1 fs_cesium pwm_test   0 Aug 25 12:27 test-pwm_test*

root@n54l-3:/mnt/disk2# ls -l /mnt/user/radium
total 0
drwxrws--- 1 root      pwm_test 112 Jun 28 00:07 test/
-rwxrwx--- 1 fs_cesium pwm_test   0 Aug 25 12:27 test-pwm_test*

And I like to have:

chmod 2770 <dirname>

so new content created in the directory will inherit the group instead of getting the main group from the account adding the content.

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.