User accounts on UnRaid... what is the best strategy?

[trevisthomas]

My wife and I are part time photographers and can generate lots of data.  I use unraid to house the terabytes of images that we have. In order to mitigate risk, i would like for each of us to have our own user account but be able to read/write to some of the same shares.  Problem is even if we both have read/write access, if she creates files as her self, i cant delete them.  And vice versa. Is there not a way to have a readwrite share create the files as 'nobody' so that we can both manage them?

 

Seems the only solution is to share an account.  Windows is no help since we cant have different folders mounted with different accounts.  It really limits how i can do account management. 

 

What are others doing?

[Energen]

So I'm not an expert at user accounts, but here's what I'll say...  it sounds like you want to do exactly what having user accounts is supposed to prevent you from doing.  If Mary creates a file, why should John be able to delete it on Mary, and vice versa.  It's Mary's file, she doesn't want anyone else to touch it.

 

Why bother with user accounts if you want to be able to delete each others files?  That defeats the purpose of the user account in that sense.  There's really nothing else to use user accounts for on Unraid.. at least in my opinion..  Except for being able to prevent someone else from deleting your files on your own user share I don't personally see the need for Unraid user accounts.. And if you're somehow trying to "mitigate risk" by using user accounts, once again the ability to delete stuff across accounts defeats the attempt at mitigating the risk.

 

However, with that said .. it seems, through my very quick and basic testing, that your problem seems to mainly be the accessibility from Windows shares?

 

How did you mount the share?

 

On Unraid I created two new users, test1 and test2, a new share called 'test' with 'Secure' security settings, and R/W for both users.  I created a file on the share from each user account.  I mounted the share on Windows via normal drive mapping, anonymous connection.  Since the share's security setting only allows guest read-only access I couldn't do anything to the files.

 

I remounted the share logging in with test1 user credentials and could delete either file.  Same for test2 credentials.  The owner of the file had no bearing on my ability to delete it from either mapped drive user account.  This ability again means that user accounts do not mitigate any kind of risk.

 

So do you have yours mounted in the same way or something different?

 

Off topic, got myself a Canon EOS T6 that I play around with... how bout you?

[trevisthomas]

Sorry, i didn't have notifications turned on for this post. ( wish it did that by default, rookie mistake on my part )

 

Your test results don't match mine.  When I mount the a Secure drive via a specific user from windows, if you ssh into Unraid you can see that the file is owned by that user. And from Windows I can not delete files that the other person created.  I mounted the shares via 'net use'

 

My goal for user accounts was so that each person could read/write anything ( no matter the owner ) on shares where they have read/write permissions.  But not be able to delete files on drives that they only have read permissions.  As it stands, i have us both using the same credentials which limits my ability to decide which shares each of us can read write to.  If windows allowed me to have different users for different shares, that would solve it too. but... that's not allowed. 

--- oh, and I mostly use a Sony A7ii these days.  

Edited August 30, 2020 by trevisthomas

[tjb_altf4]

Its still possible to adjust the ACLs on the windows side (right-click file/folder > properties > security) and add users or alter permissions.

This might be a path forward for you.

[Energen]

I'm not 100% sure but more in-depth SMB permission configurations may be possible by making use of custom smb.conf settings.. but that's going above my level of knowledge right now.  

[trevisthomas]

8 hours ago, tjb_altf4 said:

Its still possible to adjust the ACLs on the windows side (right-click file/folder > properties > security) and add users or alter permissions.

This might be a path forward for you.

Hm, I didn’t try that. Maybe I’m over thinking this issue.  It’s probably quite the edge case that I need to delete something that she’s created, and vice versa. And when that happens I can ssh and chown.  It just took me by surprise that since I was logged in as me when I migrated her data over that she couldn’t delete files.  I didn’t think of it at the time.