[SOLVED] how do you create a user group


Anne

35 posts in this topic Last Reply

Recommended Posts

I thought you might have simply gotten away with copying the /etc/group file onto the flash drive and back into position rather than recreating the users?    This would be simpler than recreating the groups on each boot.    However it may well be more complicated than that and recreating the users each time may be easier to maintain?

Link to post
1 hour ago, itimpi said:

I thought you might have simply gotten away with copying the /etc/group file onto the flash drive and back into position rather than recreating the users?    This would be simpler than recreating the groups on each boot.    However it may well be more complicated than that and recreating the users each time may be easier to maintain?

 

Yes I could. But the problem is I don't "own" the group file, and so do not know what requirements unRAID might have. If I update and unRAID requires additional system groups that I don't know about, then I will overwrite them. That's why I would have liked unRAID to change behavior and store the group file in the config directory just like the password file instead of trying to force a system-supplied file on us.

 

I feel patching the file is the most compatible way to make use of groups.

 

I would like that LT spent some time on hardening unRAID. Official use of account groups, firewall rules etc. The IoT revolution means people will bring in hundreds of new networked devices with totally unknown security levels - so there are just so many more ways we may get infestations in our local networks.

Link to post

Have you raised a formal request to get the groups file included in the Config folder on the flash drive?   If there are no other ramifications I expect LimeTech would implement this as being a trivial change.   This is obviously a much smaller change than getting full baked-in support for groups but still worth asking for as a small step on the way.

Link to post
Just now, itimpi said:

Have you raised a formal request to get the groups file included in the Config folder on the flash drive?   If there are no other ramifications I expect LimeTech would implement this as being a trivial change.   This is obviously a much smaller change than getting full baked-in support for groups but still worth asking for as a small step on the way.

 

No, I haven't. Most of the time when I need changes to an unRAID machine, I just make the changes I need. But obviously I sometimes have to repair/modify my own patching after unRAID updates. Such as my original iptables firewalling of the machines that had to be modified after unRAID started to use iptables for docker.

Link to post
  • 3 months later...

Hmmm, such basic functionality, you would think they would add it.  Maybe someone thinks unraid is just for home users, but given it's capabilities, it must be quite advanced home users that could actually understand and benefit from groups.  I'm just looking into purchasing unraid now and this is a rather large negative of it.  Even the base model home nas units like qnap have groups.  So does Mac, Windows and so on.  My 2c is this should be added and accessible from the GUI, or at least survive reboots.  Certainly if I put my IT hat on.

Link to post
  • 9 months later...
On 8/25/2018 at 6:46 AM, pwm said:


Yes, I'm a bit sad that the groups file isn't represented in /boot/config like the other files.

 

So the machine needs to recreate custom groups and assign users to them on boot (the 'go' file), like this:

@pwm So I came across this post.  Can you please verify that you aren't using the setfacl command in your solution?  I was trying to set ACLs and although it's "supported" in Unraid (i.e. the command is present), the array isn't mounted with ACL access, so the command won't work for me on 6.7.2 when trying to modify a directory on the array.  Thanks.

 

My use case is a bit different.  I am using the LinuxServer Resilio Sync docker app and want to keep the file permissions intact while the docker service synchronizes the files between connected nodes in the swarm.  The problem is, the docker runs as a specific user:group (nobody:users by default) and not the user that actually owns the files (which I set on the command line).  I could run N docker containers of the app for N users (each with $user:users PUID:PGID), but that would require N licenses of the software ... and I'm not about to do that when the 1 license I have is more than fine.  I was hoping to run the docker as a sync "super user", that is in the same group as the users that have files syncing ... and have the ACLs keep the PUID while the group inheritance is handled by the groupadd and useradd commands I define in the /boot/config/go file.

 

If I need to use chown commands, I'd have to use cron and/or inotifywait to constantly update the file attributes which would be very far from a viable solution.

 

-JesterEE

Edited by JesterEE
Typos
Link to post

Actually ... after understanding the Resilio Sync Features a bit more, it looks like not every node of the swarm needs to have a Pro license to exchange data.  Nodes that should have all the shared data (i.e. server clients) can use the free version and nodes that may only need parts of the data and want to use the selective sync capability (i.e. phone, laptop, etc. clients) need the pro version.  So, in an Unraid setup, I can have a docker app utilizing the free version of the software for each user (with PUID, PGID, and UMASK set appropriately for each) and not have to worry about ACLs.  This would be more of an issue if my user count was in the 10s or 100s, but with single digit users, this is not too big of a problem.  This might actually be better in fact because the Resilio Sync database will be unique for each user, and the share files, as well that the database files, can be owned by that user without any additional setup.  The only additional complication is more NetworkingFu to access the administration WebUI for each user, but that's manageable.

 

Nevertheless, I agree with the OP in that not having a solid, easy to use, and functional way to have control of the users and groups at the file system level is at the best inconvenient, and at the worst, a security risk.  I hope to see this is a future release!

 

-JesterEE

Link to post
  • 6 months later...
On 10/21/2019 at 2:19 PM, JesterEE said:

not having a solid, easy to use, and functional way to have control of the users and groups at the file system level is at the best inconvenient, and at the worst, a security risk.

Agreed.  I am currently testing 3 NAS solutions one of them being UNRAID.  The other two each have their own strengths and weaknesses but the one thing they both have is the ability to have "real" linux system GROUPS and USERS with the ability to HARDEN the system.

 

I was taken by surprise that after creating a low privileged GROUP and USER and then using that USER to ssh into UNRAID that that user who was to have no access to the system other then its own HOME directory was able to access all the SHARES and other directories and was able to READ and WRITE even when those folders were owned by ROOT and the permissions were set to RWX - - - - - - .

 

I'm a belt, suspenders, duct tape, staples and paperclip kind of person.  It just seems wrong not to be able to harden UNRAID and to rely solely on an external router/firewall to protect the UNRAID server. 

 

 

Link to post
  • 7 months later...

The inability to create groups in UNRAID hit me today.  I have two RPIs running Pihole.  In an attempt to save the SD Card, I wanted to have pihole save it's log files on an UNRAID mount.  It seems PiHol is quite finicky about the ownership of the log files and needs pihole:pihole as the owner for it to work.  Alas, I can create a pihole user, but no provision to create the group that's needed.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.