sacretagent Posted January 19, 2011 Share Posted January 19, 2011 since a few people PM'd me about this did i decide to do the whole write up in a new thread Please be aware i am not a Linux Guru and just put things together with a lot of googling ... i accept no responsability if your unraid goes POOOFFF running these things as nobody can be a security risk (although running as root i think is a bigger risk ) but as far as i know i didn't see any issue first of all... i am running Unraid 5B2 and SABNZBD 0.5.6 and i have unmenu installed (might be important for the scripts later on) than we go to the nasty stuff : 1. Change permissions and ownership on the sab/couchpoatato/sickbeard dependency package mkdir /tmp/depend cp /boot/custom/packages/SABnzbdDependencies-2.1-i486-unRAID.tgz /tmp/depend cd /tmp/depend tar -zxvf SABnzbdDependencies-2.1-i486-unRAID.tgz chown -R nobody install chown -R nobody usr tar -zcvf /boot/custom/packages/SABnzbdDependencies-2.2-i486-unRAID.tgz usr install cp SABnzbdDependencies-2.2-i486-unRAID.tgz /boot/custom/packages/ you can delete /tmp/depend if you want but it will delete automatically next reboot if you want to do this now rm -r /tmp/depend 2. Adapt GO file better take a backup of it... if you mess up you can always go back the go file should look something like this #sleep for 10 seconds sleep 10 #Sab/sickbeard/couchpotato dependencies installpkg /boot/custom/packages/SABnzbdDependencies-2.2-i486-unRAID.tgz #give nobody shell access usermod -s /bin/bash nobody #Start SABNZBD su nobody -c "python /Path/to/your/servers/SABnzbd.py -d -f /boot/config/SABnzbd.ini -s IP:PORT" #Start CouchPotato su nobody -c "python /Path/to/your/servers/CouchPotato.py -d" #Start SickBeard su nobody -c "python /Path/to/your/servers/SickBeard.py -d" this goes after the line from unmenu to install it's scripts a few remarks though 1. put it at the end of your go script ... the 10 secs sleep is just to be sure that /mnt/cache has the time to be mounted 2. "nobody" needs to be able to access all files in the .custom dirs so better to chown -R nobody /mnt/cache/.custom (or wherever you installed your programs) 3. AGAIN i am a linux beginner and have no clue how safe this is ... i tried to access the unraid by using nobody and no passwd and that didn't work so i guess it is pretty safe but don't take my word on it It works from boot and i have tested this a few times this is a piece of Top top - 14:32:14 up 1:07, 2 users, load average: 1.49, 1.31, 1.21 Tasks: 110 total, 3 running, 107 sleeping, 0 stopped, 0 zombie Cpu(s): 1.0%us, 5.5%sy, 0.0%ni, 48.7%id, 44.0%wa, 0.2%hi, 0.7%si, 0.0%st Mem: 3049788k total, 2636676k used, 413112k free, 534776k buffers Swap: 5119992k total, 0k used, 5119992k free, 1797972k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 14812 root 20 0 9816 8600 480 R 11 0.3 0:00.55 dd [glow=red,2,300]2409 nobody 20 0 396m 122m 3392 S 2 4.1 2:32.51 python[/glow] 1 root 20 0 704 332 288 S 0 0.0 0:01.85 init 2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd 3 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/0 shows clearly python is running under nobody i downloaded already a bunch of files and they are all owned by nobody and i have all rights on them (2770) i set 2770 also in the SAB settings if you telnet into the server and do root@p5bplus:~# su nobody nobody@p5bplus:/root$ ps x PID TTY STAT TIME COMMAND 1599 ? Ss 0:00 /sbin/rpc.statd 2409 ? Sl 2:42 python /mnt/cache/.custom/sabnzbd/SABnzbd-0.5.6/SABnz 3600 ? Sl 0:47 python /mnt/cache/.custom/couchpotato/couchpotato/Cou 15408 pts/3 S 0:00 bash 15446 pts/3 R+ 0:00 ps x nobody@p5bplus:/root$ then you see that they are running as Nobody (sickbeard is not all the time running yet on my unraid as i still need to move a bunch of shows to my unraid (need to add bigger disks or buy a bigger enclosure ) PLEASE NOTE that it is best to run all 3 or from a mounted disk or from your cache disk .... all 3 programs write quiet a bit to their respective folders and a lot of changes will wear your usb key down ... and if your usb is dead then unraid will die too ... all three programs of mine are on my cache disk under .custom folder 3. Unmenu Userscript buttons ok now since it is running did i also make userscript buttons for all 3 so that you can stop and start all three from unmenu i post the code underneath... BE AWARE you need to adapt them a bit to your setup Start Sab #701-unmenu_user_script_Start_Sabnzbd #define USER_SCRIPT_LABEL Start SABNZBD as Nobody #define USER_SCRIPT_DESCR start Sabnzbd as user Nobody #move to nobody and start SABNZBD su nobody -c "python /Path/to/your/servers/SABnzbd.py -d -f /boot/config/SABnzbd.ini -s IP:PORT" first line is just the name i save it under in the /boot/unmenu folder so this one is saved as 701-unmenu_user_script_Start_Sabnzbd.cgi all 6 unmenu button scripts are saved with .cgi extension rest of the lines are per directions from the unmenu usermanual on user scripts Sab's webpage can be opened in seconds after the start button is pushed ... Stop Sab #702-unmenu_user_script_Stop_Sabnzbd #define USER_SCRIPT_LABEL Stop SABNZBD #define USER_SCRIPT_DESCR Stop Sabnzbd #stopping SABNZBD wget -q --delete-after http://sablogin:sabpassword@IP:PORT/shutdown?session=YOUR_SAB_APIKEY_HERE this is an easy way to do the same as on the webpage and click shutdown -q = quiet .. you can delete that and you will get some output in unmenu userscript page at the bottom which is handy for troubleshooting --delete-after = will delete any html crap wget will download from the shutdown page sablogin and sabpassword is the login name for SAB and the password for sab ... if you don't use one then you can delete that part together with the @ ip:port = your sab ip and port should be same IP as your unraid YOUR_SAB_APIKEY_HERE= SAB api key you can find under config/general Start Sickbeard #703-unmenu_user_script_Start_Sickbeard #define USER_SCRIPT_LABEL Start SICKBEARD as Nobody #define USER_SCRIPT_DESCR start Sickbeard as user Nobody #move to nobody and start Sickbeard su nobody -c "python /Path/to/your/servers/SickBeard.py -d" Sickbeard can take up till 2 minutes before the webpage opens... (at least in my case with more then 500 shows and 25000 eps) Stop Sickbeard #704-unmenu_user_script_Stop_Sickbeard #define USER_SCRIPT_LABEL Stop SICKBEARD #define USER_SCRIPT_DESCR Stop Sickbeard #stopping Sickbeard wget -q --delete-after http://Sickbeardlogin:Sickbeardpassword@ip:port/home/shutdown/ Sickbeard login and password are the username and password you use to login into the sickbeard webpage if you don't use you can delete this.... Start CouchPotato #705-unmenu_user_script_Start_Couchpotato #define USER_SCRIPT_LABEL Start COUCHPOTATO as Nobody #define USER_SCRIPT_DESCR start Couchpotato as user Nobody #move to nobody and start Couchpotato su nobody -c "python /Path/to/your/servers/CouchPotato.py -d" couchpoatato takes at least 20 second before the webpage will open... this is because it loads first the database Stop CouchPotato #706-unmenu_user_script_Stop_Couchpotato #define USER_SCRIPT_LABEL Stop COUCHPOTATO #define USER_SCRIPT_DESCR Stop Couchpotato #stopping Couchpotato wget -q --delete-after http://couchpotatologin:couchpotatopassword@IP:PORT/config/exit/ again Couchpotato login and password are login and password that you use to get into the couchpotato webpage if you don't use one you can delete... guess this is it ... if you have problems i can try to help you when you post in this thread and if not maybe one of the other more advanced linux users will maybe help you out.... as i said before ... Only linux beginner (i hope not noob any more ) ... there might be ways to do this more elegantly or faster but it works .... Quote Link to comment
upthetoon Posted January 19, 2011 Share Posted January 19, 2011 Thanks sacretagent, I will be trying this tonight! One related note... if you run couchpotato I don't think whatever drive you are running it from will sleep. The other two will after a few changes to the configs. Quote Link to comment
sacretagent Posted January 19, 2011 Author Share Posted January 19, 2011 running it on my cache drive... and he will never sleep i am affraid sab downloads every month a lot of files for me till now always has a queue from about 200 files LOL Quote Link to comment
Orbi Posted January 19, 2011 Share Posted January 19, 2011 sacretagent, could you tell me what reasons would you have to run these programs with permissions other than root? If the root password is not default and constitutes a good password in itself, what are the risks running these processes as root? Quote Link to comment
sacretagent Posted January 19, 2011 Author Share Posted January 19, 2011 biggest problem is that the downloaded files are ending up wit root permissions and you need to run a chmod/chown script against it to access them for me this is the only real reason... i see in every linux forum everybody saying not to run things as root and I know a few programs out there will not run as root for some security reason.... but i also have no idea what could be the real issue... I am not a hacker and have no intentions to become one so no idea where the panic is all about ... Quote Link to comment
Tybio Posted January 19, 2011 Share Posted January 19, 2011 That's odd, I'm running SABnzbd as root along with Sick Beard and CouchPotato, both of which move the files to the shares. SABnzbd doesn't do the moving, so having that run as another user wouldn't do anything for the permissions. I'm also seeing the files that Sick Beard and CouchPotato put in place on the shares without issue, and they are owned by root: drwxr-xr-x 1 root root 256 Jan 18 13:56 ./ drwxr-xr-x 1 root root 3.4K Jan 15 12:11 ../ -rwx------ 1 root root 46K Jan 18 13:56 Wanted.jpg* -rw-r--r-- 1 root root 6.6G May 3 2010 Wanted.mkv -rwx------ 1 root root 5.7K Jan 18 13:56 Wanted.nfo* Perhaps there is some other configuration or issue that's causing root owned files to not be seen on shares? Quote Link to comment
lionelhutz Posted January 19, 2011 Share Posted January 19, 2011 Cool stuff. FYI, sab doesn't need the "-s IP:PORT" switch after it has been run the first time. The IP and port are stored in the config file. Peter Quote Link to comment
upthetoon Posted January 19, 2011 Share Posted January 19, 2011 That's odd, I'm running SABnzbd as root along with Sick Beard and CouchPotato, both of which move the files to the shares. SABnzbd doesn't do the moving, so having that run as another user wouldn't do anything for the permissions. Are you running a 5.0 beta or one of the 4. versions Tybio? Quote Link to comment
techie.trumpet Posted January 19, 2011 Share Posted January 19, 2011 I recently installed sabnzbd, sickbeard, and couchpotato and also had an issue with the applications setting the owner / group to root : root for newly downloaded files. I am running unRAID 4.6 connected to Active Directory and I wanted the owner / group to be assigned to a domain user and group. My solution was to write a custom shell script that is executed when the applications are finished processing the downloaded files. Sickbeard supports the execution of custom scripts VIA the extra_scripts property in the config.ini file. After reviewing the Sickbeard / sabnzbd documentation I learned that the first argument passed to the custom script is the newly downloaded file and therefore my custom script is: #!/bin/bash chown "DOMAIN\user"."DOMAIN\media users" "$1" I saved this script in the /mnt/cache/.custom/sickbeard/autoProcess/media-setowner.sh so it could also be used by sabnzbd. In sabnzbd I created a couple of custom categories for Media files that are not downloaded by Sickbeard or CouchPotato and assigned my custom script VIA the script drop down. I am still testing it out but so far it appears to be working. Quote Link to comment
upthetoon Posted January 22, 2011 Share Posted January 22, 2011 Wahey. Finally got this working. I was using port 88 for SABnzbd but it didn't like this running under nobody. I gave it a higher port number and now its working fine. Thanks again sacretagent. Quote Link to comment
BRiT Posted January 22, 2011 Share Posted January 22, 2011 Oh, right... Only 'root' users can bind to ports below 1024. It's an old unix security adage. The typical steps in other services are to invoke service as root to bind to any needed ports below 1024 then shed root privs and run under lower security user such as nobody or download. There's another way of doing this, but I don't know if it's in unRAID or if it'll work for anything that's a script and I doubt you'd want to set it directly on python. setcap 'cap_net_bind_service=+ep' /path/to/program Quote Link to comment
upthetoon Posted January 22, 2011 Share Posted January 22, 2011 Oh, right... Only 'root' users can bind to ports below 1024. It's an old unix security adage. Yes, I came across this magic number after researching the error. When you see this do you want to put a note in the opening post Sacretangent? Quote Link to comment
Tybio Posted January 22, 2011 Share Posted January 22, 2011 Are you running a 5.0 beta or one of the 4. versions Tybio? I was running 4.5 (I believe, it's early) until yesterday when I moved up to 4.7Beta1 Quote Link to comment
upthetoon Posted January 27, 2011 Share Posted January 27, 2011 I had been running sickbeard with the log location of /var/log/ which meant my cache drive would spin down. When running sickbeard as nobody I had to change the log directory to a folder on my cache drive otherwise it would generate permission errors with /var/log/. After googling the issue it seems only root has access to /var/log/. I have tried changing the permissions of /var/log/ to 775 but it still gives errors. Does anyone know if there is anyway to give nobody access to write to /var/log/ or some other solution to change the logging of sickbeard to allow the cache drive to spin down? Quote Link to comment
BRiT Posted January 27, 2011 Share Posted January 27, 2011 With a permission mode of 775 you only opened it up to the same group. The /var/log/ directory is owned by 'root' user and is in the 'root' group. The user 'nobody' is in the group 'nobody'. To allow 'nobody' to have write permissions to the /var/log/ directory, you could possibly open up the other users permissions with a mode like 777. Security warnings and all that apply when opening up directories to an account that was designed to be restrictive. Quote Link to comment
upthetoon Posted January 27, 2011 Share Posted January 27, 2011 ah, OK. Cheers Brit, I'll give it a go tonight. Quote Link to comment
prostuff1 Posted January 27, 2011 Share Posted January 27, 2011 ah, OK. Cheers Brit, I'll give it a go tonight. My suggestion would be to NOT mess with /var/log and print it to something like /tmp/log Quote Link to comment
upthetoon Posted January 27, 2011 Share Posted January 27, 2011 thanks pro but using /tmp/log doesn't appear to let the drive spindown. I've 777'd my /var/log directory and its working now. Nothing has blown up just yet but I'll keep an eye on it... Quote Link to comment
prostuff1 Posted January 27, 2011 Share Posted January 27, 2011 thanks pro but using /tmp/log doesn't appear to let the drive spindown. I've 777'd my /var/log directory and its working now. Nothing has blown up just yet but I'll keep an eye on it... There is no log directory in /tmp by default, you would need to create it. I suggested /tmp/log as to keep things consistent with /var/log. If you create the log folder in /tmp and then put the log files there the drives should spin down like they did previously. Quote Link to comment
dirrtyjoe Posted January 27, 2011 Share Posted January 27, 2011 The user scrips above (modified to match my settings, obviously) are not working for me... I'm not using the 'nobody' user and attempted to just use root --> anyone know what may be the issue? The buttons appear and look fine but clicking one does not lead to a start or stop. Quote Link to comment
kaiguy Posted January 28, 2011 Share Posted January 28, 2011 So I've never encountered a problem with accessing my downloaded files. Is this because I haven't changed the unRAID basic security settings? If I end up having user-level access, is this when I'll have to go down this road? And having SAB add 777 permissions to my downloaded files won't fix that? Quote Link to comment
Tybio Posted January 28, 2011 Share Posted January 28, 2011 So I've never encountered a problem with accessing my downloaded files. Is this because I haven't changed the unRAID basic security settings? If I end up having user-level access, is this when I'll have to go down this road? And having SAB add 777 permissions to my downloaded files won't fix that? I have user level security and no problem with root running the python servers. Quote Link to comment
sacretagent Posted January 31, 2011 Author Share Posted January 31, 2011 So I've never encountered a problem with accessing my downloaded files. Is this because I haven't changed the unRAID basic security settings? If I end up having user-level access, is this when I'll have to go down this road? And having SAB add 777 permissions to my downloaded files won't fix that? I have user level security and no problem with root running the python servers. It is only an issue in 5 series i think :0 different way of setting things up... i never tried the 4 series so i am not sure but i read something like that in the release notes Quote Link to comment
sacretagent Posted January 31, 2011 Author Share Posted January 31, 2011 The user scrips above (modified to match my settings, obviously) are not working for me... I'm not using the 'nobody' user and attempted to just use root --> anyone know what may be the issue? The buttons appear and look fine but clicking one does not lead to a start or stop. if you add what you are using then we can advice you but in the quoted post is not eough information basicly your last line should be something like this python /Path/to/your/servers/SickBeard.py -d maybe with Quotes around them Quote Link to comment
abuzzbuzz Posted February 1, 2011 Share Posted February 1, 2011 This was just what I was looking for. I am in the process of installing all of my drives and copying stuff over to my new unraid. I use all of these on windows, so this would be great to get running on the unraid pc. Has anyone had success with this? I am new to linux, so let me know if you had to change anything. I will give it a go in a couple of days and let you know what happens. Thanks again. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.