New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Samba/NFS | Support userdata directory with permissions that allow apps to function? #2067

Closed
MichaIng opened this Issue Sep 11, 2018 · 19 comments

Comments

3 participants
@MichaIng
Collaborator

MichaIng commented Sep 11, 2018

Ref: https://dietpi.com/phpbb/viewtopic.php?f=11&t=4595#p14233

  • Does the issue occur, if the server (Windows?) file system (NTFS?) does not support permissions?
  • Is it somehow possible via cifs mount options e.g. to adjust owner and permissions for the whole network mount, just client-side, e.g. to dietpi:dietpi 775 to allow Sonarr etc users r/w access?
  • Could this be a similar issue for other network mounts and is there a similar solution possible?
@Fourdee

This comment has been minimized.

Show comment
Hide comment
@Fourdee

Fourdee Sep 12, 2018

Owner

@MichaIng

Samba does not support setting remote permissions with NTFS volume (linux Samba server with NTFS drive):

root@DietPi:/mnt/samba# chown -R dietpi:dietpi Video
root@DietPi:/mnt/samba# ls -lha
total 4.0K
drwxr-xr-x 2 root root    0 Sep 11 09:35 .
drwxr-xr-x 8 root root 4.0K Jul 23 21:53 ..
drwxr-xr-x 2 root root    0 Dec 12  2016 #Backups
drwxr-xr-x 2 root root    0 Sep 11 13:43 downloads
drwxr-xr-x 2 root root    0 Jul 21 22:14 Music
drwxr-xr-x 2 root root    0 Jul 21 22:14 Pictures
drwxr-xr-x 2 root root    0 Jul 21 22:21 _PRE_BK
drwxr-xr-x 2 root root    0 Jul 21 22:14 Video

Same with EXT4:

root@DietPi:/mnt/samba2# chown -R dietpi:dietpi Video
root@DietPi:/mnt/samba2# ls -lha
total 4.0K
drwxr-xr-x 2 root root    0 Sep 10 12:17 .
drwxr-xr-x 9 root root 4.0K Sep 12 10:03 ..
drwxr-xr-x 2 root root    0 Sep 10 12:17 downloads
drwxr-xr-x 2 root root    0 Sep 10 12:17 Music
drwxr-xr-x 2 root root    0 Sep 10 12:17 Pictures
drwxr-xr-x 2 root root    0 Sep 10 12:17 Video

Hmm, need to research and confirm this is as Samba intended.

Ok, I believe this is per design, as setting a user/group permissions on a remote system, would require the remote system to also have that user/group locally.
Samba appears to mount with the creds that the server has setup (eg: dietpi), past that point, permissions cannot be changed on the filesystem.
You can however, change the following settings in /etc/samba/smb.conf, to tweak the file/folder mask once connected:

        create mask = 0775
        directory mask = 0775

As far as I can tell, setting file/folder permissions on a remote samba server is not possible, by design. Either that, or there is some magical Samba server setting, which I'am unaware of.

Owner

Fourdee commented Sep 12, 2018

@MichaIng

Samba does not support setting remote permissions with NTFS volume (linux Samba server with NTFS drive):

root@DietPi:/mnt/samba# chown -R dietpi:dietpi Video
root@DietPi:/mnt/samba# ls -lha
total 4.0K
drwxr-xr-x 2 root root    0 Sep 11 09:35 .
drwxr-xr-x 8 root root 4.0K Jul 23 21:53 ..
drwxr-xr-x 2 root root    0 Dec 12  2016 #Backups
drwxr-xr-x 2 root root    0 Sep 11 13:43 downloads
drwxr-xr-x 2 root root    0 Jul 21 22:14 Music
drwxr-xr-x 2 root root    0 Jul 21 22:14 Pictures
drwxr-xr-x 2 root root    0 Jul 21 22:21 _PRE_BK
drwxr-xr-x 2 root root    0 Jul 21 22:14 Video

Same with EXT4:

root@DietPi:/mnt/samba2# chown -R dietpi:dietpi Video
root@DietPi:/mnt/samba2# ls -lha
total 4.0K
drwxr-xr-x 2 root root    0 Sep 10 12:17 .
drwxr-xr-x 9 root root 4.0K Sep 12 10:03 ..
drwxr-xr-x 2 root root    0 Sep 10 12:17 downloads
drwxr-xr-x 2 root root    0 Sep 10 12:17 Music
drwxr-xr-x 2 root root    0 Sep 10 12:17 Pictures
drwxr-xr-x 2 root root    0 Sep 10 12:17 Video

Hmm, need to research and confirm this is as Samba intended.

Ok, I believe this is per design, as setting a user/group permissions on a remote system, would require the remote system to also have that user/group locally.
Samba appears to mount with the creds that the server has setup (eg: dietpi), past that point, permissions cannot be changed on the filesystem.
You can however, change the following settings in /etc/samba/smb.conf, to tweak the file/folder mask once connected:

        create mask = 0775
        directory mask = 0775

As far as I can tell, setting file/folder permissions on a remote samba server is not possible, by design. Either that, or there is some magical Samba server setting, which I'am unaware of.

@Fourdee Fourdee modified the milestones: v6.15, v6.16 Sep 12, 2018

@Fourdee Fourdee self-assigned this Sep 16, 2018

@Fourdee

This comment has been minimized.

Show comment
Hide comment
@Fourdee

Fourdee Sep 16, 2018

Owner

non-root applications are unable to access /mnt/samba (eg: radarr, sonarr), is it possible to:

  • Mount Samba with nobody:dietpi? Allowing access?
  • Provide info for the user to change run-level user back to root for required applications? (the whole point of doing this was to improve security, with lack of Samba access being the downside, due to inability to set folder specific permissions)
Owner

Fourdee commented Sep 16, 2018

non-root applications are unable to access /mnt/samba (eg: radarr, sonarr), is it possible to:

  • Mount Samba with nobody:dietpi? Allowing access?
  • Provide info for the user to change run-level user back to root for required applications? (the whole point of doing this was to improve security, with lack of Samba access being the downside, due to inability to set folder specific permissions)
@MichaIng

This comment has been minimized.

Show comment
Hide comment
@MichaIng

MichaIng Sep 16, 2018

Collaborator

@Fourdee
Check: https://dietpi.com/phpbb/viewtopic.php?f=11&t=4595&start=10#p14439

  • Works well here 😀.
    €: Works as well for user, check forum.

Btw: On NFS mounts, permissions are directly taken from NFS server. Changing them on client mount, changes them directly on server as well.
Only issue might be, the NFS server share does not support permissions. But there is nothing we could do about that, as I could not find settings to globally set/change permissions on the mount. Not sure who actually has which access to a fs without permission support? root only, or the user that mounted the drive? Needs testing with NTFS NFS share.

Collaborator

MichaIng commented Sep 16, 2018

@Fourdee
Check: https://dietpi.com/phpbb/viewtopic.php?f=11&t=4595&start=10#p14439

  • Works well here 😀.
    €: Works as well for user, check forum.

Btw: On NFS mounts, permissions are directly taken from NFS server. Changing them on client mount, changes them directly on server as well.
Only issue might be, the NFS server share does not support permissions. But there is nothing we could do about that, as I could not find settings to globally set/change permissions on the mount. Not sure who actually has which access to a fs without permission support? root only, or the user that mounted the drive? Needs testing with NTFS NFS share.

@Fourdee

This comment has been minimized.

Show comment
Hide comment
@Fourdee

Fourdee Sep 18, 2018

Owner

@MichaIng

dietpi:dietpi 770 should allow r/w access for Sonarr and such, as these software titles run as their own user, but as dietpi group.

Legend 👍

Yep, I'll send a commit to make the changes, will run some tests aswell.

Owner

Fourdee commented Sep 18, 2018

@MichaIng

dietpi:dietpi 770 should allow r/w access for Sonarr and such, as these software titles run as their own user, but as dietpi group.

Legend 👍

Yep, I'll send a commit to make the changes, will run some tests aswell.

@Fourdee

This comment has been minimized.

Show comment
Hide comment
@Fourdee

Fourdee Sep 18, 2018

Owner

Mounts root with:

					G_ERROR_HANDLER_INFO_ONLY=1 G_RUN_CMD mount -t cifs -o username="$samba_clientuser",password="$samba_clientpassword",uid=dietpi,gid=dietpi,file_mode=0770,dir_mode=0770,vers=${acifs_versions[$i]} //"$samba_clientname"/"$samba_clientshare" "$samba_fp_mount_target"

umount and remount required to apply 😕

🈯️ Does work, forgot to add to initial mount lol

Owner

Fourdee commented Sep 18, 2018

Mounts root with:

					G_ERROR_HANDLER_INFO_ONLY=1 G_RUN_CMD mount -t cifs -o username="$samba_clientuser",password="$samba_clientpassword",uid=dietpi,gid=dietpi,file_mode=0770,dir_mode=0770,vers=${acifs_versions[$i]} //"$samba_clientname"/"$samba_clientshare" "$samba_fp_mount_target"

umount and remount required to apply 😕

🈯️ Does work, forgot to add to initial mount lol

Fourdee pushed a commit that referenced this issue Sep 18, 2018

Daniel (Fourdee)
v6.16
+DietPi-Drive_Manager | Samba Mount: Now mounts with user and group of 'DietPi'. This matches group permissions for applications that will prevent permission failure, when samba is used for userdata location: #2067
@Fourdee

This comment has been minimized.

Show comment
Hide comment
@Fourdee

Fourdee Sep 18, 2018

Owner

Testing required:

  • Install sonarr/radarr
  • Set Samba as userdata dir

DietPi-Drive_Manager

  • Userdata move is disabled for network drives.

DietPi-Software

  • 🈯️ Can set a custom location, and/or, list mounted drives (including samba)

🈯️ Works fine.

root@DietPi:~# ls -lha /mnt/samba/dietpi_userdata/
total 0
drwxrwx--- 2 dietpi dietpi 0 Sep 18 14:18 .
drwxrwx--- 2 dietpi dietpi 0 Sep 18 14:50 ..
drwxrwx--- 2 dietpi dietpi 0 Sep  8 09:44 downloads
drwxrwx--- 2 dietpi dietpi 0 Sep  8 09:44 Music
drwxrwx--- 2 dietpi dietpi 0 Sep  8 09:44 Pictures
drwxrwx--- 2 dietpi dietpi 0 Sep 18 14:49 radarr
drwxrwx--- 2 dietpi dietpi 0 Sep 18 14:50 sonarr
drwxrwx--- 2 dietpi dietpi 0 Sep  8 09:44 Video

 DietPi-Services
─────────────────────────────────────────────────────
 Mode: status

[  OK  ] DietPi-Services | sonarr       active (running) since Tue 2018-09-18 14:51:04 BST; 5s ago
[  OK  ] DietPi-Services | radarr       active (running) since Tue 2018-09-18 14:51:04 BST; 5s ago
[  OK  ] DietPi-Services | cron active (running) since Tue 2018-09-18 14:51:04 BST; 5s ago
[  OK  ] DietPi-Services | ssh  active (running) since Tue 2018-09-18 11:51:37 BST; 2h 59min ago
[  OK  ] DietPi-Services | dietpi-preboot       active (exited) since Tue 2018-09-18 11:51:37 BST; 2h 59min ago
[  OK  ] DietPi-Services | dietpi-boot  active (exited) since Tue 2018-09-18 11:51:42 BST; 2h 59min ago
[  OK  ] DietPi-Services | dietpi-postboot      active (exited) since Tue 2018-09-18 11:51:42 BST; 2h 59min ago
Owner

Fourdee commented Sep 18, 2018

Testing required:

  • Install sonarr/radarr
  • Set Samba as userdata dir

DietPi-Drive_Manager

  • Userdata move is disabled for network drives.

DietPi-Software

  • 🈯️ Can set a custom location, and/or, list mounted drives (including samba)

🈯️ Works fine.

root@DietPi:~# ls -lha /mnt/samba/dietpi_userdata/
total 0
drwxrwx--- 2 dietpi dietpi 0 Sep 18 14:18 .
drwxrwx--- 2 dietpi dietpi 0 Sep 18 14:50 ..
drwxrwx--- 2 dietpi dietpi 0 Sep  8 09:44 downloads
drwxrwx--- 2 dietpi dietpi 0 Sep  8 09:44 Music
drwxrwx--- 2 dietpi dietpi 0 Sep  8 09:44 Pictures
drwxrwx--- 2 dietpi dietpi 0 Sep 18 14:49 radarr
drwxrwx--- 2 dietpi dietpi 0 Sep 18 14:50 sonarr
drwxrwx--- 2 dietpi dietpi 0 Sep  8 09:44 Video

 DietPi-Services
─────────────────────────────────────────────────────
 Mode: status

[  OK  ] DietPi-Services | sonarr       active (running) since Tue 2018-09-18 14:51:04 BST; 5s ago
[  OK  ] DietPi-Services | radarr       active (running) since Tue 2018-09-18 14:51:04 BST; 5s ago
[  OK  ] DietPi-Services | cron active (running) since Tue 2018-09-18 14:51:04 BST; 5s ago
[  OK  ] DietPi-Services | ssh  active (running) since Tue 2018-09-18 11:51:37 BST; 2h 59min ago
[  OK  ] DietPi-Services | dietpi-preboot       active (exited) since Tue 2018-09-18 11:51:37 BST; 2h 59min ago
[  OK  ] DietPi-Services | dietpi-boot  active (exited) since Tue 2018-09-18 11:51:42 BST; 2h 59min ago
[  OK  ] DietPi-Services | dietpi-postboot      active (exited) since Tue 2018-09-18 11:51:42 BST; 2h 59min ago
@Fourdee

This comment has been minimized.

Show comment
Hide comment
@Fourdee

Fourdee Sep 18, 2018

Owner

Offtopic issue with RockPro64:

http://www.linux-mtd.infradead.org/doc/general.html

MTD subsystem (stands for Memory Technology Devices) provides an abstraction layer for raw flash devices. It makes it possible to use the same API when working with different flash types and technologies, e.g. NAND, OneNAND, NOR, AG-AND, ECC'd NOR, etc.
MTD subsystem does not deal with block devices like MMC, eMMC, SD, CompactFlash, etc. These devices are not raw flashes but they have a Flash Translation layer inside, which makes them look like block devices.

I'll disable this from scrape for now.

root@DietPi:~# lsblk -nro NAME
mtdblock0
mtdblock1
mtdblock2
Owner

Fourdee commented Sep 18, 2018

Offtopic issue with RockPro64:

http://www.linux-mtd.infradead.org/doc/general.html

MTD subsystem (stands for Memory Technology Devices) provides an abstraction layer for raw flash devices. It makes it possible to use the same API when working with different flash types and technologies, e.g. NAND, OneNAND, NOR, AG-AND, ECC'd NOR, etc.
MTD subsystem does not deal with block devices like MMC, eMMC, SD, CompactFlash, etc. These devices are not raw flashes but they have a Flash Translation layer inside, which makes them look like block devices.

I'll disable this from scrape for now.

root@DietPi:~# lsblk -nro NAME
mtdblock0
mtdblock1
mtdblock2

Fourdee pushed a commit that referenced this issue Sep 18, 2018

Daniel (Fourdee)
v6.16
+ Minor text: #2067 (comment)

Fourdee pushed a commit that referenced this issue Sep 18, 2018

Daniel (Fourdee)
v6.16
+DietPi-Drive_Manager | RockPro64: Resolved an issue where mtdblock devices would show up in the list. As far as well can tell, these are not currently required for EMMC/SD/USB devices. To ensure the list only shows actual devices, we have disabled them from showing up in view: #2067 (comment)

@Fourdee Fourdee changed the title from Changing permissions fails on Samba mount to Samba/NFS | Support userdata directory with permissions that allow apps to function? Sep 19, 2018

@Fourdee Fourdee referenced this issue Sep 19, 2018

Merged

v6.16 #2080

Fourdee added a commit that referenced this issue Sep 19, 2018

Merge pull request #2080 from Fourdee/testing
v6.16
(19/09/18)

**Changes / Improvements / Optimizations:**

DietPi-Config | WiFi: Added support for applying up-to 5 SSIDs: #368

DietPi-Drive_Manager | Samba Mount: Now mounts with user and group of 'DietPi'. This matches group permissions for DietPi applications that will prevent permission failure, when samba is used for userdata location: #2067

DietPi-Software | Pi-hole: You can now install Pi-hole again on Debian Jessie system, as support got re-enabled with Pi-hole v4.0 FTLDNS update.

**Bug Fixes:**

General | Resolved an issue where 1st run setup password prompt, would run twice. Once on 1st run and once after updates are completed.

General | Resolved an external issue where in very rare cases WiFi interfaces were not initiated successfully: #2074

DietPi-Config | Sparky SBC: Resolved an issue where Piano DAC firmware was not being fully installed.

DietPi-Config | Resolved an issue with selected WiFi SSID not being correctly applied: #2070 (comment)

DietPi-Drive_Manager | RockPro64: Resolved an issue where mtdblock devices would show up in the list. As far as well can tell, these are not currently required for EMMC/SD/USB devices. To ensure the list only shows actual devices, we have disabled them from showing up in view: #2067 (comment)

DietPi-Postboot | Resolved an issue where user scripts were not being executed '/var/lib/dietpi/postboot.d/*'.

@Fourdee Fourdee modified the milestones: v6.16, v6.17 Sep 19, 2018

@Fourdee

This comment has been minimized.

Show comment
Hide comment
@Fourdee

Fourdee Sep 30, 2018

Owner

🈯️ NFS supports permissions, at least on a Linux share:

root@DietPi:~# ls -lha /mnt/nfs_client/
total 32K
drwxrwxr-x 8 dietpi   dietpi   4.0K Sep 30 18:49 .
drwxr-xr-x 7 root     root     4.0K Sep 30 19:30 ..
drwxrwxr-x 2 dietpi   dietpi   4.0K Sep 19 14:12 downloads
drwxrwxr-x 2 dietpi   dietpi   4.0K Sep 19 14:12 Music
drwxrwx--- 6 statd         112 4.0K Sep 30 19:30 mysql
drwxrwx--- 5 www-data www-data 4.0K Sep 30 18:55 nextcloud_data
drwxrwxr-x 2 dietpi   dietpi   4.0K Sep 19 14:12 Pictures
drwxrwxr-x 2 dietpi   dietpi   4.0K Sep 19 14:12 Video
Owner

Fourdee commented Sep 30, 2018

🈯️ NFS supports permissions, at least on a Linux share:

root@DietPi:~# ls -lha /mnt/nfs_client/
total 32K
drwxrwxr-x 8 dietpi   dietpi   4.0K Sep 30 18:49 .
drwxr-xr-x 7 root     root     4.0K Sep 30 19:30 ..
drwxrwxr-x 2 dietpi   dietpi   4.0K Sep 19 14:12 downloads
drwxrwxr-x 2 dietpi   dietpi   4.0K Sep 19 14:12 Music
drwxrwx--- 6 statd         112 4.0K Sep 30 19:30 mysql
drwxrwx--- 5 www-data www-data 4.0K Sep 30 18:55 nextcloud_data
drwxrwxr-x 2 dietpi   dietpi   4.0K Sep 19 14:12 Pictures
drwxrwxr-x 2 dietpi   dietpi   4.0K Sep 19 14:12 Video
@Fourdee

This comment has been minimized.

Show comment
Hide comment
@Fourdee

Fourdee Sep 30, 2018

Owner

🈴 Samba does not

root@DietPi:~# ls -lha /mnt/samba
total 4.0K
drwxrwx--- 2 dietpi dietpi    0 Sep 30 18:49 .
drwxr-xr-x 7 root   root   4.0K Sep 30 19:35 ..
drwxrwx--- 2 dietpi dietpi    0 Sep 19 14:12 downloads
drwxrwx--- 2 dietpi dietpi    0 Sep 19 14:12 Music
drwxrwx--- 2 dietpi dietpi    0 Sep 30 19:35 mysql
drwxrwx--- 2 dietpi dietpi    0 Sep 30 18:55 nextcloud_data
drwxrwx--- 2 dietpi dietpi    0 Sep 19 14:12 Pictures
drwxrwx--- 2 dietpi dietpi    0 Sep 19 14:12 Video

However, now mounts with dietpi user and group, so in theory, userdata applications "should" work, however, this needs to be manually set/tweaked by the user, as it will fail the permissions test during userdata move as of v6.17, which is now required.

Completed.

Owner

Fourdee commented Sep 30, 2018

🈴 Samba does not

root@DietPi:~# ls -lha /mnt/samba
total 4.0K
drwxrwx--- 2 dietpi dietpi    0 Sep 30 18:49 .
drwxr-xr-x 7 root   root   4.0K Sep 30 19:35 ..
drwxrwx--- 2 dietpi dietpi    0 Sep 19 14:12 downloads
drwxrwx--- 2 dietpi dietpi    0 Sep 19 14:12 Music
drwxrwx--- 2 dietpi dietpi    0 Sep 30 19:35 mysql
drwxrwx--- 2 dietpi dietpi    0 Sep 30 18:55 nextcloud_data
drwxrwx--- 2 dietpi dietpi    0 Sep 19 14:12 Pictures
drwxrwx--- 2 dietpi dietpi    0 Sep 19 14:12 Video

However, now mounts with dietpi user and group, so in theory, userdata applications "should" work, however, this needs to be manually set/tweaked by the user, as it will fail the permissions test during userdata move as of v6.17, which is now required.

Completed.

@Fourdee Fourdee closed this Sep 30, 2018

@Dr0bac

This comment has been minimized.

Show comment
Hide comment
@Dr0bac

Dr0bac Oct 2, 2018

@Fourdee i have the same problem with radarr not importing movies but my hdd is external hdd connected directly to rpi3, it says in radarr logs:"
Couldn't import movie /mnt/dietpi_userdata/downloads/Avatar: Acess to the path "/mnt/dietpi_userdata/Plex/Movies/Avatar" is denied..
Then i changed user of /mnt/dietpi_userdata/Plex/Movies to radarr:root and now in radarr logs i get
Couldn't import movie /mnt/dietpi_userdata/downloads/Avatar: Acess to the path is denied..
I guess download folder is now the problem..i don't know should i change users of that folder.
I tried adding radarr user to root group but nothing changed
usermod -a -G root radarr
All my folders in Plex folders have permissions drwxrwxr-x and plex was main user, so i can delete movies from plex menu..

Dr0bac commented Oct 2, 2018

@Fourdee i have the same problem with radarr not importing movies but my hdd is external hdd connected directly to rpi3, it says in radarr logs:"
Couldn't import movie /mnt/dietpi_userdata/downloads/Avatar: Acess to the path "/mnt/dietpi_userdata/Plex/Movies/Avatar" is denied..
Then i changed user of /mnt/dietpi_userdata/Plex/Movies to radarr:root and now in radarr logs i get
Couldn't import movie /mnt/dietpi_userdata/downloads/Avatar: Acess to the path is denied..
I guess download folder is now the problem..i don't know should i change users of that folder.
I tried adding radarr user to root group but nothing changed
usermod -a -G root radarr
All my folders in Plex folders have permissions drwxrwxr-x and plex was main user, so i can delete movies from plex menu..

@MichaIng

This comment has been minimized.

Show comment
Hide comment
@MichaIng

MichaIng Oct 2, 2018

Collaborator

@Dr0bac
Thanks for your report. But this is a different issue. So not NFS or Samba is the problem in your case, but plex+radarr cross access.

So I guess, the files in flex folder are owned by plex:plex?
To allow access to most other software, installed via dietpi-software, you need to add radarr user to plex group and add plex as well to dietpi group, to allow access of plex to download and other folders as well.

I link the issue to: #350 (comment)

  • Fits better there. Like transmission, plexmediaserver is a APT install that brings its own service. We can make the service run as dietpi group, which allows access to dietpi_userdata/*, and hope that this also leads to files being created with dietpi group. Or we add a usermod -a -G step to dietpi-software to add each software run user to each others group, where cross access is needed. This prevents the need to edit the APT installed service file and allows APT to patch it in case.
Collaborator

MichaIng commented Oct 2, 2018

@Dr0bac
Thanks for your report. But this is a different issue. So not NFS or Samba is the problem in your case, but plex+radarr cross access.

So I guess, the files in flex folder are owned by plex:plex?
To allow access to most other software, installed via dietpi-software, you need to add radarr user to plex group and add plex as well to dietpi group, to allow access of plex to download and other folders as well.

I link the issue to: #350 (comment)

  • Fits better there. Like transmission, plexmediaserver is a APT install that brings its own service. We can make the service run as dietpi group, which allows access to dietpi_userdata/*, and hope that this also leads to files being created with dietpi group. Or we add a usermod -a -G step to dietpi-software to add each software run user to each others group, where cross access is needed. This prevents the need to edit the APT installed service file and allows APT to patch it in case.
@Dr0bac

This comment has been minimized.

Show comment
Hide comment
@Dr0bac

Dr0bac Oct 2, 2018

@Michalng
Yes, different problem, but it started recently i guess when 6.14 update was installed.. no it's not plex:plex.. it's plex:root.. and it worked like that perfectly last 6 months..so i guess plex and radarr are in root group? So if radarr don't have permissions to download folder i must add it to dietpi group, not root group?

Dr0bac commented Oct 2, 2018

@Michalng
Yes, different problem, but it started recently i guess when 6.14 update was installed.. no it's not plex:plex.. it's plex:root.. and it worked like that perfectly last 6 months..so i guess plex and radarr are in root group? So if radarr don't have permissions to download folder i must add it to dietpi group, not root group?

@MichaIng

This comment has been minimized.

Show comment
Hide comment
@MichaIng

MichaIng Oct 3, 2018

Collaborator

@Dr0bac

plex:root

🤔 Okay this is bad. Hmm I would never want to add software run users to root group actually. Bad repo package default then... I hope for our fix in DietPi install script we can change it the way that files are created as plex:plex or plex:dietpi.
So yeah, in this case you have no other chance then adding radarr user to root group for now.

i guess when 6.14 update was installed

It should have worked until v6.12: #1938

  • We changed most software titles run with their own users instead of all as root, for security reasons.
  • But indeed that made cross software access quite complicated.

So if radarr don't have permissions to download folder i must add it to dietpi group, not root group?

Radarr does already run as dietpi group, so should have access to download folder actually.

Verify:
cat /etc/systemd/system/radarr.service

  • Should show User=radarr and Group=dietpi

ls -al /mnt/dietpi_userdata/downloads

  • Should be dietpi:dietpi 775

With radarr should have access 🤔.

Collaborator

MichaIng commented Oct 3, 2018

@Dr0bac

plex:root

🤔 Okay this is bad. Hmm I would never want to add software run users to root group actually. Bad repo package default then... I hope for our fix in DietPi install script we can change it the way that files are created as plex:plex or plex:dietpi.
So yeah, in this case you have no other chance then adding radarr user to root group for now.

i guess when 6.14 update was installed

It should have worked until v6.12: #1938

  • We changed most software titles run with their own users instead of all as root, for security reasons.
  • But indeed that made cross software access quite complicated.

So if radarr don't have permissions to download folder i must add it to dietpi group, not root group?

Radarr does already run as dietpi group, so should have access to download folder actually.

Verify:
cat /etc/systemd/system/radarr.service

  • Should show User=radarr and Group=dietpi

ls -al /mnt/dietpi_userdata/downloads

  • Should be dietpi:dietpi 775

With radarr should have access 🤔.

@Dr0bac

This comment has been minimized.

Show comment
Hide comment
@Dr0bac

Dr0bac Oct 3, 2018

@MichaIng
It's my fault that media folders are plex:root. I saw somewhere i guess on reddit that plex must be owner of media files so i can delete movies with it..also plex plugin subzero for subtitles can't work without changing permissions..
I tried first command and i got like you said
User=radarr
Group=dietpi
After second command i saw that download folder owner is dietpi:dietpi, but downloaded movie folders are under root:root.. and permissions are different..maybe that is the reason..who create that folders, transmission or radarr?

Dr0bac commented Oct 3, 2018

@MichaIng
It's my fault that media folders are plex:root. I saw somewhere i guess on reddit that plex must be owner of media files so i can delete movies with it..also plex plugin subzero for subtitles can't work without changing permissions..
I tried first command and i got like you said
User=radarr
Group=dietpi
After second command i saw that download folder owner is dietpi:dietpi, but downloaded movie folders are under root:root.. and permissions are different..maybe that is the reason..who create that folders, transmission or radarr?

@Dr0bac

This comment has been minimized.

Show comment
Hide comment
@Dr0bac

Dr0bac Oct 4, 2018

@MichaIng i don't know why i can't tag you manually..anyway i did what you asked me to do..

Dr0bac commented Oct 4, 2018

@MichaIng i don't know why i can't tag you manually..anyway i did what you asked me to do..

@MichaIng

This comment has been minimized.

Show comment
Hide comment
@MichaIng

MichaIng Oct 4, 2018

Collaborator

@Dr0bac
The folders should be created by transmission then. It has currently the same issue as plex. Check this: #350 (comment)

Please try:
Replace our custom transmission service (/etc/systemd/system/transmission-daemon.service) with the one provided in the link (this is package default), but add Group=dietpi beneath User=debian-transmission.

Then adjust transmission settings to create new downloads with 770 (or if you need 775) permissions:
G_CONFIG_INJECT '\"umask\":' '\"umask\": 7,' /etc/transmission-daemon/settings.json should do it, respectively with value 2 instead of 7.

That should lead to transmission creating files as debian-transmission:dietpi with 770/775 permissions, allow access for all other software (in dietpi group) and transmission being able to access other dietpi group files.

If downloads by transmission are not created as dietpi group, then it would be needed to add plex and radarr to debian-transmission group:
usermod -a -G debian-transmission radarr plex

The working solution well be implemented to DietPi v6.17 :).


Yeah not sure why the first tag didn't work, however the second did. I edited my tag in your first post, now or does as well, even I can't see a change 🤔.

Collaborator

MichaIng commented Oct 4, 2018

@Dr0bac
The folders should be created by transmission then. It has currently the same issue as plex. Check this: #350 (comment)

Please try:
Replace our custom transmission service (/etc/systemd/system/transmission-daemon.service) with the one provided in the link (this is package default), but add Group=dietpi beneath User=debian-transmission.

Then adjust transmission settings to create new downloads with 770 (or if you need 775) permissions:
G_CONFIG_INJECT '\"umask\":' '\"umask\": 7,' /etc/transmission-daemon/settings.json should do it, respectively with value 2 instead of 7.

That should lead to transmission creating files as debian-transmission:dietpi with 770/775 permissions, allow access for all other software (in dietpi group) and transmission being able to access other dietpi group files.

If downloads by transmission are not created as dietpi group, then it would be needed to add plex and radarr to debian-transmission group:
usermod -a -G debian-transmission radarr plex

The working solution well be implemented to DietPi v6.17 :).


Yeah not sure why the first tag didn't work, however the second did. I edited my tag in your first post, now or does as well, even I can't see a change 🤔.

@Dr0bac

This comment has been minimized.

Show comment
Hide comment
@Dr0bac

Dr0bac Oct 4, 2018

@MichaIng thanks for your suport, but i don't see any link.. do you want me to add two lines in current transmission service file or i need to change that service file with the new one and add those lines..
But i can wait new dietpi update if you guys gonna fix it, it's not big deal..
Thanks

Dr0bac commented Oct 4, 2018

@MichaIng thanks for your suport, but i don't see any link.. do you want me to add two lines in current transmission service file or i need to change that service file with the new one and add those lines..
But i can wait new dietpi update if you guys gonna fix it, it's not big deal..
Thanks

@MichaIng

This comment has been minimized.

Show comment
Hide comment
@MichaIng

MichaIng Oct 6, 2018

Collaborator

@Dr0bac
Whole steps:

cat << _EOF_ > /etc/systemd/system/transmission-daemon.service
[Unit]
Description=Transmission BitTorrent Daemon
After=network.target

[Service]
User=debian-transmission
Group=dietpi
Type=notify
ExecStart=/usr/bin/transmission-daemon -f --log-error
ExecStop=/bin/kill -s STOP $MAINPID
ExecReload=/bin/kill -s HUP $MAINPID

[Install]
WantedBy=multi-user.target
_EOF_
G_CONFIG_INJECT '\"umask\":' '\"umask\": 7,' /etc/transmission-daemon/settings.json

€: Ah, when you already used transmission, the config file will be owned by root, thus the following is needed to start the daemon with above:
chown debian-transmission:debian-transmission /etc/transmission-daemon/settings.json

I will also test now myself 🙂.
🈯️ Jep, now files are created correctly. We will add the group via:

cat << _EOF_ > /etc/systemd/system/transmission-daemon.service.d/dietpi-group.conf
[Service]
Group=dietpi
_EOF_

This allows APT in case to update the local config file.

Collaborator

MichaIng commented Oct 6, 2018

@Dr0bac
Whole steps:

cat << _EOF_ > /etc/systemd/system/transmission-daemon.service
[Unit]
Description=Transmission BitTorrent Daemon
After=network.target

[Service]
User=debian-transmission
Group=dietpi
Type=notify
ExecStart=/usr/bin/transmission-daemon -f --log-error
ExecStop=/bin/kill -s STOP $MAINPID
ExecReload=/bin/kill -s HUP $MAINPID

[Install]
WantedBy=multi-user.target
_EOF_
G_CONFIG_INJECT '\"umask\":' '\"umask\": 7,' /etc/transmission-daemon/settings.json

€: Ah, when you already used transmission, the config file will be owned by root, thus the following is needed to start the daemon with above:
chown debian-transmission:debian-transmission /etc/transmission-daemon/settings.json

I will also test now myself 🙂.
🈯️ Jep, now files are created correctly. We will add the group via:

cat << _EOF_ > /etc/systemd/system/transmission-daemon.service.d/dietpi-group.conf
[Service]
Group=dietpi
_EOF_

This allows APT in case to update the local config file.

@MichaIng

This comment has been minimized.

Show comment
Hide comment
@MichaIng

MichaIng Oct 6, 2018

Collaborator

PR up for changing Plex + Transmission run as group "dietpi": #2117

Collaborator

MichaIng commented Oct 6, 2018

PR up for changing Plex + Transmission run as group "dietpi": #2117

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment