[SOLVED] how do you create a user group


Anne

Recommended Posts

I thought you might have simply gotten away with copying the /etc/group file onto the flash drive and back into position rather than recreating the users?    This would be simpler than recreating the groups on each boot.    However it may well be more complicated than that and recreating the users each time may be easier to maintain?

Link to comment
1 hour ago, itimpi said:

I thought you might have simply gotten away with copying the /etc/group file onto the flash drive and back into position rather than recreating the users?    This would be simpler than recreating the groups on each boot.    However it may well be more complicated than that and recreating the users each time may be easier to maintain?

 

Yes I could. But the problem is I don't "own" the group file, and so do not know what requirements unRAID might have. If I update and unRAID requires additional system groups that I don't know about, then I will overwrite them. That's why I would have liked unRAID to change behavior and store the group file in the config directory just like the password file instead of trying to force a system-supplied file on us.

 

I feel patching the file is the most compatible way to make use of groups.

 

I would like that LT spent some time on hardening unRAID. Official use of account groups, firewall rules etc. The IoT revolution means people will bring in hundreds of new networked devices with totally unknown security levels - so there are just so many more ways we may get infestations in our local networks.

Link to comment

Have you raised a formal request to get the groups file included in the Config folder on the flash drive?   If there are no other ramifications I expect LimeTech would implement this as being a trivial change.   This is obviously a much smaller change than getting full baked-in support for groups but still worth asking for as a small step on the way.

Link to comment
Just now, itimpi said:

Have you raised a formal request to get the groups file included in the Config folder on the flash drive?   If there are no other ramifications I expect LimeTech would implement this as being a trivial change.   This is obviously a much smaller change than getting full baked-in support for groups but still worth asking for as a small step on the way.

 

No, I haven't. Most of the time when I need changes to an unRAID machine, I just make the changes I need. But obviously I sometimes have to repair/modify my own patching after unRAID updates. Such as my original iptables firewalling of the machines that had to be modified after unRAID started to use iptables for docker.

Link to comment
  • 3 months later...

Hmmm, such basic functionality, you would think they would add it.  Maybe someone thinks unraid is just for home users, but given it's capabilities, it must be quite advanced home users that could actually understand and benefit from groups.  I'm just looking into purchasing unraid now and this is a rather large negative of it.  Even the base model home nas units like qnap have groups.  So does Mac, Windows and so on.  My 2c is this should be added and accessible from the GUI, or at least survive reboots.  Certainly if I put my IT hat on.

Link to comment
  • 9 months later...
On 8/25/2018 at 6:46 AM, pwm said:


Yes, I'm a bit sad that the groups file isn't represented in /boot/config like the other files.

 

So the machine needs to recreate custom groups and assign users to them on boot (the 'go' file), like this:

@pwm So I came across this post.  Can you please verify that you aren't using the setfacl command in your solution?  I was trying to set ACLs and although it's "supported" in Unraid (i.e. the command is present), the array isn't mounted with ACL access, so the command won't work for me on 6.7.2 when trying to modify a directory on the array.  Thanks.

 

My use case is a bit different.  I am using the LinuxServer Resilio Sync docker app and want to keep the file permissions intact while the docker service synchronizes the files between connected nodes in the swarm.  The problem is, the docker runs as a specific user:group (nobody:users by default) and not the user that actually owns the files (which I set on the command line).  I could run N docker containers of the app for N users (each with $user:users PUID:PGID), but that would require N licenses of the software ... and I'm not about to do that when the 1 license I have is more than fine.  I was hoping to run the docker as a sync "super user", that is in the same group as the users that have files syncing ... and have the ACLs keep the PUID while the group inheritance is handled by the groupadd and useradd commands I define in the /boot/config/go file.

 

If I need to use chown commands, I'd have to use cron and/or inotifywait to constantly update the file attributes which would be very far from a viable solution.

 

-JesterEE

Edited by JesterEE
Typos
Link to comment

Actually ... after understanding the Resilio Sync Features a bit more, it looks like not every node of the swarm needs to have a Pro license to exchange data.  Nodes that should have all the shared data (i.e. server clients) can use the free version and nodes that may only need parts of the data and want to use the selective sync capability (i.e. phone, laptop, etc. clients) need the pro version.  So, in an Unraid setup, I can have a docker app utilizing the free version of the software for each user (with PUID, PGID, and UMASK set appropriately for each) and not have to worry about ACLs.  This would be more of an issue if my user count was in the 10s or 100s, but with single digit users, this is not too big of a problem.  This might actually be better in fact because the Resilio Sync database will be unique for each user, and the share files, as well that the database files, can be owned by that user without any additional setup.  The only additional complication is more NetworkingFu to access the administration WebUI for each user, but that's manageable.

 

Nevertheless, I agree with the OP in that not having a solid, easy to use, and functional way to have control of the users and groups at the file system level is at the best inconvenient, and at the worst, a security risk.  I hope to see this is a future release!

 

-JesterEE

Link to comment
  • 6 months later...
On 10/21/2019 at 2:19 PM, JesterEE said:

not having a solid, easy to use, and functional way to have control of the users and groups at the file system level is at the best inconvenient, and at the worst, a security risk.

Agreed.  I am currently testing 3 NAS solutions one of them being UNRAID.  The other two each have their own strengths and weaknesses but the one thing they both have is the ability to have "real" linux system GROUPS and USERS with the ability to HARDEN the system.

 

I was taken by surprise that after creating a low privileged GROUP and USER and then using that USER to ssh into UNRAID that that user who was to have no access to the system other then its own HOME directory was able to access all the SHARES and other directories and was able to READ and WRITE even when those folders were owned by ROOT and the permissions were set to RWX - - - - - - .

 

I'm a belt, suspenders, duct tape, staples and paperclip kind of person.  It just seems wrong not to be able to harden UNRAID and to rely solely on an external router/firewall to protect the UNRAID server. 

 

 

Link to comment
  • 7 months later...

The inability to create groups in UNRAID hit me today.  I have two RPIs running Pihole.  In an attempt to save the SD Card, I wanted to have pihole save it's log files on an UNRAID mount.  It seems PiHol is quite finicky about the ownership of the log files and needs pihole:pihole as the owner for it to work.  Alas, I can create a pihole user, but no provision to create the group that's needed.

Link to comment
  • 11 months later...
  • 1 month later...

Respectfully this has been my BIGGEST annoyance with Unraid for the last 4 years I've used it, along with proper NFS export support to control permissions by hostname.

 

My workaround back then was a dumb script ("samurai" below is the hostname):

 

Once this runs and any negative caches on clients time out, all of the security works group.  Users in group A can access folders owned by that group, users in group B can access folders in another group.

 

root@samurai:/mnt/user/scripts# cat fixunraid.sh
showmount -e
echo "Fixing hosts, groups, and NFS exports"
cat hosts.append >> /etc/hosts
cat group.append >> /etc/group
cp /etc/exports /etc/exports.BAK
cp exports.samurai /etc/exports
sleep 10
exportfs -a
sleep 5
showmount -e

 

(I previously also appended passwd entries but sometime in the past few years Unraid actually remembered changes to /etc/passwd, such as the primary GID.)

 

Perhaps this sounds "too complicated" to manage automatically but this is the simplest, most BASIC UNIX-level security and has been implemented through simple GUIs (that work across local, NFS, and Samba access) hundreds of times.  Just for HOME use, this lets me keep my kids from accessing or deleting files they shouldn't.   Implementing Groups is essential for any NAS and I'm shocked at some of the suggestions in this thread to create tons of extra shares or duplicate files.

  • Like 1
Link to comment
  • 11 months later...
1 hour ago, samsausages said:

system users and groups don't work as expected.

On 8/22/2018 at 9:25 PM, trurl said:

unRAID isn't really designed to be a multi-user Linux OS. The users you can create in the webUI are only for file access over the network with SMB / NFS / AFP. And webUI / ssh / console is only for root.

  

If you want a multi-user Linux, Unraid can host VMs.

 

1 hour ago, samsausages said:

open up some dockers to the harsh interwebs

 

Link to comment

Yeah, I read that and it seems silly to run a VM for what is usually a highly dependent core feature.  Reverse proxies work very well, but I don't see how they replace proper user & group permissions as a security layer, when using web facing docker containers.

I like Unraid for the storage array, everything else has been a nice bonus.  If I spool up a VM, I'd probably Virtualize Unraid and use it just for the storage array, then run VM's and Docker on the host.
But that makes everything a bit overly complicated for my liking.

Edited by samsausages
Link to comment
  • 4 weeks later...
On 3/2/2023 at 9:12 AM, samsausages said:

Yeah, I read that and it seems silly to run a VM for what is usually a highly dependent core feature.  Reverse proxies work very well, but I don't see how they replace proper user & group permissions as a security layer, when using web facing docker containers.

I like Unraid for the storage array, everything else has been a nice bonus.  If I spool up a VM, I'd probably Virtualize Unraid and use it just for the storage array, then run VM's and Docker on the host.
But that makes everything a bit overly complicated for my liking.

 

Just came here to say this. I hope they consider adding it for unRAID 7 (or whatever next major version is). I've always used groups to configure separation of concerns for users, even in a home environment. The current vanilla way of doing it is way too lax for my liking and having to abstract to a VM just to handle file sharing on the native OS seems like an unnecessary hurdle.

  • Like 1
Link to comment
  • 2 months later...

I know UnRAID is designed as a home server but it has grown past that at this point. I'd love to see an easy way to implement this in the GUI. TrueNAS core has this feature and it also have LDAP support that can work with an LDAP server or event a LDAP as a Service, i.e, Jumpcloud. 

 

I am really looking forward to some sort of Group feature and LDAP! PLEASE LDAP!!!!!

 

Anyway, that's my $0.02

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.