October 31, 201015 yr I'd like to run the webGui process as user "nobody" of the "users" group (UID=99, GID=100). Does anyone foresee any issues doing this?
October 31, 201015 yr I haven't checked, but just off the top of my head it might impact some plugins that use php to read/write files. What are the default perms on the plugin home and /boot?
November 1, 201015 yr Author Well /boot is 777 because it's a mount point for the FAT32 flash file system. But /usr/local/emhttp/plugins is set to 755 (owner root:root) - I'd have to change that to 777 (or 757). The reason I want to have webGui run as nobody:users is because this is the default owner for all files on the array (and when a private share is written, the group of the files is still users). Anyway, if there are plugins which write files to the array, if they are owned by root:root, they will not be visible via Samba. One solution is that for any command which must be executed by the webGui that creates files on the array, one could execute via 'su' command, eg., su nobody -c 'some-command'
November 1, 201015 yr I'd like to run the webGui process as user "nobody" of the "users" group (UID=99, GID=100). Does anyone foresee any issues doing this? It might prevent the development of any plug-in that needs to interact with the disks outside of the array... (mount/un-mount, etc, even hdparm and smartctl might not work if they cannot access the raw devices.) the use of "su" might work, but if there is a root password, there is no way way to pass it. Granted, it would tighten up security a LOT if not run by root. (and that is huge benefit to business users concerned with security)
November 1, 201015 yr I wasn't contemplating shell commands called by plugins, but php script that read/write files. You could setuid root (which might be the best way to handle it). Normally I would cringes at that suggestion, but seeing as how that is, in effect, what we have now.
December 3, 201015 yr I have no experience with “nobody user” so cannot be of much help to it. But in my opinion you should use a username instead of the other. It is better to replace “nobody” in the startup script with a username of your choice and don’t forget about ‘root’. Remember as you are changing the username don’t fail to change the ownership configuration as well and download the related folders as well.
December 3, 201015 yr Off the top of my head, SNAP creates a user nobody and it's used for Windows connections via Samba. I think I had to add it so that files would show up.
Archived
This topic is now archived and is closed to further replies.