Derek_ Posted December 28, 2019 Share Posted December 28, 2019 (edited) Hiya, I'm trying to switch users in the terminal, i would like to temporarily operate as my 'backup-user'. I have found that if i do not switch user and perform certain operations as that user, i screw up my Borg Repository. My repository is now not accessible by my backup-user, only by unRAID's root user So two parts to this: 1. To prevent this issue in the future, i'd like to be able to switch user before doing what i did. But i've tried just now and i can't... This doesn't work: It does not prompt for my password, nor does it provide any error or output. $ whoami root $ su - backup-user $ whoami root I've tried a variety of permutations i've found online: su backup-user su -u backup-user sudo su backup-user sudo su - backup-user sudo su -u backup-user (bad syntax) And... 2. To fix what i've already broken, will running this as root safely correct the permissions in the affected sub/directories? $ chown -R backup-user /mnt/user/Backups/MessedUpDir Of course i can just give it a go, but i've never changed permissions before so i thought i'd check with people who hopefully know better. I don't want to make things worse - noting that i can't seem to switch user, i don't know what this command might do. Thanks Edited February 8, 2020 by Derek_ Quote Link to comment
Derek_ Posted December 29, 2019 Author Share Posted December 29, 2019 (edited) OK, i fixed no.2: $ chown -R backup-user:users /mnt/user/Backups/MessedUpDir Though there were still some messed up permissions. Files touched by my stuff-up were set to 600, where 666 is the case for files untouched by my screw-up. So i went into the directory and sorted that out. $ chmod 666 * But i'd like to avoid this in future, so my no.1 question above still stands. I hope its doable via the web terminal. If not, i guess i'd have to SSH? Thanks. Edited December 29, 2019 by Derek_ fixed path Quote Link to comment
FreeMan Posted December 29, 2019 Share Posted December 29, 2019 Is there any reason you don't simply log in to the terminal session as 'backup-user' instead of logging in as root then trying to su to the desired user? Quote Link to comment
Derek_ Posted December 29, 2019 Author Share Posted December 29, 2019 5 minutes ago, FreeMan said: Is there any reason you don't simply log in to the terminal session as 'backup-user' instead of logging in as root then trying to su to the desired user? No reason other than i do not know how. I'm just clicking the Terminal icon on the GUI which uses the root user. I also tried using the 'login' command after you asked (i didn't think of it before) but it didn't want to accept the backup-user either: # login login: backup-user Password: Linux 4.19.56-Unraid. # whoami root Bummer. Quote Link to comment
FreeMan Posted December 29, 2019 Share Posted December 29, 2019 Sorry, that one's above my pay-grade! 1 Quote Link to comment
Derek_ Posted December 31, 2019 Author Share Posted December 31, 2019 Kinda really would like to know this. Surely it's possible. Anyone? Quote Link to comment
bonienl Posted December 31, 2019 Share Posted December 31, 2019 Unraid users are not to same as regular linux users. They don't have an environment to run. To maintain the system, this is only possible by user 'root'. All other users are used to set the access rights for shares and a particular user (non root). Quote Link to comment
Derek_ Posted December 31, 2019 Author Share Posted December 31, 2019 Hi Bonienl, thanks for replying. I've done a bit of digging... I looked at /etc/passwd and he's without an environment as you say. All the users i've added to unRAID via the GUI do not have /bin/bash in /etc/passwd - unlike root. And unlike a 'normal' user in a 'normal' Linux distro. I'm not a Linux guru/admin or anything so my sleuthing might not mean i can work around this, or do so safely which is the most important thing. What comes If i add /bin/bash for the user/s i want to be able to do stuff in the terminal - to /etc/passwd? I presume it'll work, but i don't know what 'side-affects' this might have for unRAID. TL;DR a). Why are added users denied a shell? Is this quite typical for a NAS or Server? b). Can i give them a shell safely if i want to? c). Can i give them wheel group safely if i want/need to? (sudo) d). Not so far mentioned, but will i be able to run cron jobs as another user WITHOUT having to mess around with the users (b & c)? OR as an alternative, will i be able to switch user in a BASH script to run some things? (i'll have to learn BASH to some extent). Thanks. Quote Link to comment
bonienl Posted December 31, 2019 Share Posted December 31, 2019 It is by design that only user 'root' can operate on the system. It is not recommended to change another user and use this instead, side-effects are unknown and you may end up with a disabled system. Plans exist for the future to support other users besides 'root' to do system maintenance, until then stick to user 'root'. Quote Link to comment
Derek_ Posted December 31, 2019 Author Share Posted December 31, 2019 (edited) 26 minutes ago, bonienl said: It is by design that only user 'root' can operate on the system. It is not recommended to change another user and use this instead, side-effects are unknown and you may end up with a disabled system. Plans exist for the future to support other users besides 'root' to do system maintenance, until then stick to user 'root'. Hmm... well i have a workaround suggested to me which will allow me to use one of these crippled (is 'nerfed' nicer?) users. It does not require i change any of the things i've mentioned. I'll test it tomorrow in a very limited use-case capacity. I shall not give in without a fight! Edited December 31, 2019 by Derek_ Quote Link to comment
Frank1940 Posted December 31, 2019 Share Posted December 31, 2019 IF you figure out something, please do us folks who provide support and NOT post up what you did. I don't want to have to deal with any problems caused by hacking into the Administrator functions. Just wear your Black Hat proudly and keep the secret to yourself. Quote Link to comment
bonienl Posted December 31, 2019 Share Posted December 31, 2019 1 hour ago, Derek_ said: well i have a workaround suggested to me I don't know your workaround, but I do know the operation of the GUI very well ☺️ Many functions won't work properly without the correct user rights. Might not be visible, but underlying operations won't succeed as expected. Quote Link to comment
Derek_ Posted December 31, 2019 Author Share Posted December 31, 2019 8 hours ago, bonienl said: I don't know your workaround, but I do know the operation of the GUI very well ☺️ Many functions won't work properly without the correct user rights. Might not be visible, but underlying operations won't succeed as expected. Let me say that i'm no expert, so my thoughts and words may just be me over-complicating things and being far too much an idealist. I lack real-world experience and knowledge in this area. For now i'm just trying to do stuff in the terminal. The workaround didn't work, or is at least incomplete: $ su -s/bin/sh backup-user This does allow me to switch to the user, but i think i'd need to grant the user the 'wheel' group to be able to elevate its privileges to run some commands (in my case Borg). As it doesn't have a /home , maybe that's the problem rather than rights elevation (Borg doesn't need sudo on my Linux desktop). I can't SSH into the box as the backup-user to take advantage of Borg's capabilities in that regard either. I was trying to use Borg for my backup strategy, but the only way to do so seems to be using traditional mounts and running tasks from the client rather than running things on unRAID (like repository checks which can take hours). OR i connect using root, which i think really we should not as that will expose unRAID's root password on potentially un-encrypted devices - particularly common for Windows clients. Though i guess most Windows backup programs would encrypt the password they use. I was going to use a FOSS command-line program which wouldn't. Another problem with this nerfed user is running backups across to a remote device that isn't unRAID. I don't think my Synology won't let me create a root user (and like unRAID seems to nerf its added users), so i presume it would then become owned by 'admin' (the Synology's user-accessible 'root' user i think). I don't know, but that seems like it would complicate recovery in the event my unRAID machine exploded/was stolen. Maybe i'd just have to chown it after i copied it back? Man, such unexpected complications. I really would like someone from LimeTech to provide some advice about buffing a backup-user. And maybe depending on that advice, i might make a feature request for unRAID to have a 'backup-user' in the build that has a home and a shell, if not elevated rights OOTB. As well as that, i'd like to better understand how other people manage their backups. I'm probably over-complicating things - which is a personality trait of mine . I might start a new thread on that somewhere. Quote Link to comment
trurl Posted December 31, 2019 Share Posted December 31, 2019 In addition to the fact that only root has access to the command line and the webUI, a user named root on the network does not have any special access to shares. Using root to access network shares is just the same as using some other user that you haven't created in the webUI. That is, root is only a guest for network share access. There are users you create through the webUI, but root is not one of those, though it does allow you to set the root password in the webUI. Users you create in the webUI are the only users that can be given restricted access to shares on the network. Everybody else will only have guest access. Guests have full access to public shares, and readonly access to secure shares. So there is no point in using root to access network shares, though if you do happen to use that username on the network to access shares, it gets treated as any other guest. Unraid isn't intended to be a general purpose, multiuser linux. It is a stripped down, customized slackware linux designed as a NAS OS with docker and VM hosting. Quote Link to comment
Derek_ Posted January 1, 2020 Author Share Posted January 1, 2020 (edited) 5 hours ago, trurl said: Users you create in the webUI are the only users that can be given restricted access to shares on the network. Everybody else will only have guest access. Guests have full access to public shares, and readonly access to secure shares. So there is no point in using root to access network shares, though if you do happen to use that username on the network to access shares, it gets treated as any other guest. I get that this is a home-focussed GUI-based server, and its pretty obvious that not many people have expressed an interest in this kind of capability and that my scenario is presumably a bit on the fringe. It's a bit of an idealist position i'm taking. I created my user through the webUI initially not realising that i wouldn't then be able to use that user to do things at the terminal. Of course i now know this to be the case. At i see it, i presently have these choices: SSH with root (can't SSH as any other user) into the server to perform the backups. This allows me to run automated scheduled maintenance on the server itself via cron without breaking permissions or having to invoke it from a desktop client. Use backup-user to perform client backups to the server via a traditional mount. Use cron to perform scheduled maintenance on the archive (as root). BASH script permissions fixes as part of the cron job. Invoke all operations from the desktop, using backup-user credentials and traditional mounts Hack unRAID to give me a backup-user i can switch to. But there are consequences: I'd say this is not best practise. Root should be reserved for activities that require it. Backup maintenance does not require root (normally). This, along with no.2, means that mutual remote backups (unRAID to offsite/offsite to unRAID) requires me to use root SSH as there is no alternative. So my remote box (be it unRAID or other) will have full access to my local unRAID when it performs backups. Not ideal! How then to push a copy to another off-site server? Can only do via cron as root - so once again the permissions get broken. I guess i can script chown/chmod fixes in there too . Really shouldn't have to do this. I don't know what kind of IO that places on the desktop. Maybe it'll slow down a game i'm playing or other disk operations? I really don't know. Plus i have to leave it on - i don't leave my PC on in the middle of the night which is probably when i'd do these backup healthchecks and sending data off-site. Risk lots of problems, especially at system upgrade time. I'm not going to take this approach. 18 hours ago, bonienl said: Plans exist for the future to support other users besides 'root' to do system maintenance. I'd love to see if there's a timeline for this. As they've just released 6.8 (which i'm not yet running, i figure i'd wait a month or so) which presumably doesn't have it - i guess it'll be a while When's 6.8.1 due? Thanks for listening Edited January 1, 2020 by Derek_ Quote Link to comment
Can0n Posted January 1, 2020 Share Posted January 1, 2020 (edited) you can use the SSH plugin called "SSH Config Tool" on the app tab to enable multi user SSH access it works well if you dont want to use root when using SSH more info here Edited January 1, 2020 by Can0nfan Quote Link to comment
Derek_ Posted January 1, 2020 Author Share Posted January 1, 2020 (edited) 1 hour ago, Can0nfan said: you can use the SSH plugin called "SSH Config Tool" on the app tab to enable multi user SSH access it works well if you dont want to use root when using SSH Thanks. I'm was just starting to look at keyfile authentication and to my horror its not in the GUI at all. As i've just posted in the SSH plugin thread i think that's astonishing. IIRC SSH is enabled OOTB, and now i see that there's no GUI way to change the authentication method to key only. Password entry should be disabled by default. Fixing that should be a doddle: some small config changes. Create an 'import' button so people can upload their key. Create a 'generate' button, so people can generate a key. Create an 'export' button, so people can export their key (to USB, or network share for example). Reading more, there's no fail2ban built into the OS either. Does the Let's Encrypt Docker with f2b protect the OS, or just the Docker? Edited January 1, 2020 by Derek_ Quote Link to comment
Can0n Posted January 1, 2020 Share Posted January 1, 2020 (edited) 22 minutes ago, Derek_ said: Thanks. I'm was just starting to look at keyfile authentication and to my horror its not in the GUI at all. As i've just posted in the SSH plugin thread i think that's astonishing. IIRC SSH is enabled OOTB, and now i see that there's no GUI way to change the authentication method to key only. Password entry should be disabled by default. Reading more, there's no fail2ban built into the OS either. Does the Let's Encrypt Docker with f2b protect the OS, or just the Docker? I have SSH keys enabled for my Putty, and linux and mac terminal i found it on a linux forum to use and create Ssh keygen On host: ssh-keygen ssh-copy-id root@unraid hostname or ip On server may need to run these as root chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys then add this to the go file in tools->config file editor (it will make the key and ssh file persistent across reboots since the live unraid system lives in ram) #SSH Keys Copy and enable mkdir /root/.ssh chmod 700 /root/.ssh cp /boot/config/ssh/authorized_keys /root/.ssh/ chmod 600 /root/.ssh/authorized_keys as for your questions about fail2ban and lets encrypt i cant answer those I have my own reverse proxy running in a VM on another server and dont expose my servers host ip to the internet (dockers and VM's have access since they cannot access the host directly) Edited January 1, 2020 by Can0nfan Quote Link to comment
trurl Posted January 1, 2020 Share Posted January 1, 2020 Possibly one of the hundreds of dockers available can be used to solve some of your needs without you needing to resort to the command line. Have you installed Community Applications plugin yet? Quote Link to comment
Can0n Posted January 1, 2020 Share Posted January 1, 2020 4 minutes ago, trurl said: Possibly one of the hundreds of dockers available can be used to solve some of your needs without you needing to resort to the command line. Have you installed Community Applications plugin yet? I did like 3 years ago lol this my post was to be able to ssh without using a password some things need CLI when GUI isnt available Quote Link to comment
trurl Posted January 1, 2020 Share Posted January 1, 2020 1 minute ago, Can0nfan said: I did like 3 years ago lol this my post was to be able to ssh without using a password some things need CLI when GUI isnt available If I had been replying to you instead of OP I would have quoted something in your post. Quote Link to comment
Can0n Posted January 1, 2020 Share Posted January 1, 2020 Just now, trurl said: If I had been replying to you instead of OP I would have quoted something in your post. hahaha ok no worries Quote Link to comment
Derek_ Posted January 1, 2020 Author Share Posted January 1, 2020 9 hours ago, trurl said: Possibly one of the hundreds of dockers available can be used to solve some of your needs without you needing to resort to the command line. Have you installed Community Applications plugin yet? Yes I have installed the CA Plugin. Lots of cool stuff . I've already donated to one plugin author (more to come after I leave the experimental stage). When LimeTech put SSH into the GUI I think they should provide a bit more than they have to improve the security, and not leave it entirely up to a community developed plugin. That SSH plugin mentioned by CanOnFan looks like it will improve the OOTB/default security nicely. I haven't had the time to play with it yet. I saw in the thread that there was an occasion where people told it to turn off password authentication, and the GUI indicated that was the case - but it hadn't. That's a bit scary. DenyHost looks like a welcome inclusion in the plugin too. I haven't looked into it yet either. I hope it can ban and not just deny like fail2ban is capable of. I don't know how dockers like Let's Encrypt interact at a host OS level. I'm very new to containers Quote Link to comment
trurl Posted January 2, 2020 Share Posted January 2, 2020 Unraid 6.8 has WireGuard VPN builtin. If you want to access your server from outside your local network, VPN is essential. Quote Link to comment
Derek_ Posted January 12, 2020 Author Share Posted January 12, 2020 Well, it's taken me ages but i believe i've cracked the nut. It forced me to learn much more about Linux and i had to (sort of) learn Bash scripting. I now have a fairly comprehensive backup strategy working. I won't go into details, but here's a summary: Borg backs up my Linux desktop to unRAID via SSH (using the backup-user -- thanks to the SSH plugin) and using systemd to schedule my bash script. It's quite comprehensive and provides desktop notifications of the status of it. It also prunes old backups. unRAID has a scheduled cron job (thanks to the User Scripts plugin) that then switches user to backup-user and runs another script that performs health-checks on the repository without breaking the permissions! These take a like 2hrs for 400gb repository, so that's why i want it to run server-side, without the client having to do anything. The script notifies my email via Notifications of the success, warning or failure of the script. Not yet implemented, but down the track my unRAID server will SSH to an offsite repository using the backup-user to complete the 1-2-3. I've learned so much about Backups in general, BASH, systemd and unRAID during this exercise. I may try to document it and share, particularly my scripts, which for a total noob i'm quite proud of. It'll take me a while to document it. Thanks to the people who tried to help through this thread, particularly @Can0nfan who provided awareness of the time-saving SSH addon. I believe i could have done what it does, but it would have taken me longer. 🙏 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.