Skip Navigation
linux4noobs @programming.dev Appoxo @lemmy.dbzer0.com

Help with permission settings and ACL

Trying to set tight permissions on my future NAS.
The essential on what I have:
TrueNAS NFS storage <- mounted via NFS -> Proxmox VE Host <-> Debian 12 VM
That's all fine and so on.
My little Debian VM:

NAME   FSTYPE FSVER LABEL  UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
sda
├─sda1 vfat   FAT32        A5D7-88E3                             505.1M     1% /boot/efi
└─sda2 ext4   1.0          3c43a477-51fd-425b-aee8-a6e75224f781   48.5G    16% /
sdb
└─sdb1 ext4   1.0   media  e3e0eac5-806a-44e9-a0e9-07fb99a18281  933.2G     0% /srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281
sdc
└─sdc1 ext4   1.0   nas    0f3a3d74-901d-4243-b20b-59210c1cee18   46.4G     0% /srv/dev-disk-by-uuid-0f3a3d74-901d-4243-b20b-59210c1cee18
sdd
└─sdd1 ext4   1.0   backup fbe21b9f-2339-4223-ac7e-00e75374fc32   46.4G     0% /srv/dev-disk-by-uuid-fbe21b9f-2339-4223-ac7e-00e75374fc32
sr0

Background:

  • media = media library for Jellyfin
  • nas = small (future) file server for my PC running Windows
  • backup = used to store backups of various services like Firewall backups with SFTP etc.

The storage on the debian VM will be mounted by a NUC running bare metal Debian due to hardware acceleration. The proxmox host is unable to do it due to it also being a NUC. But I like the flexibility I will soon have because I can just nuke my bare-metal NUC without loosing any data.

Anyway my real problem is with permissions on my media drive.
My permissions right now are as following:

1. /srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281# ls -l media
drwxrwxr-x 3 nobody nogroup 4096 Oct 12 20:45 media

2. /srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281/media# ls -l data
drwxrwsr-x+ 6 mediaU serviceG 4096 Oct 13 00:21 data

3. /srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281/media/data# ls -l *
drwxrwsr-x+ 7 mediaU serviceG 4096 Oct 13 00:21 media
drwxrwsr-x+ 2 mediaU serviceG 4096 Oct 13 00:21 recycle_bin
drwxrwsr-x+ 2 mediaU serviceG 4096 Oct 13 00:21 torrents
drwxrwsr-x+ 2 mediaU serviceG 4096 Oct 13 00:21 usenet

4. /srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281/media/data/media# ls -l *
drwxrwsr-x+ 2 mediaU serviceG 4096 Oct 13 00:21 anime
drwxrwsr-x+ 3 mediaU serviceG 4096 Oct 13 00:22 movie
drwxrwsr-x+ 2 mediaU serviceG 4096 Oct 13 00:21 music
drwxrwsr-x+ 2 mediaU serviceG 4096 Oct 13 00:21 soundtrack
drwxrwsr-x+ 2 mediaU serviceG 4096 Oct 13 00:21 tv

Current directory tree:

srv-dev-disk-by-uuid-XXX/
└── media
    └── data
        ├── media
        │   ├── anime
        │   ├── movie
        │   ├── music
        │   ├── soundtrack
        │   └── tv
        ├── recycle_bin
        ├── torrents
        └── usenet

What I am trying is:

  • Docker host mounts /srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281/media via NFS
  • The docker containers should only be able to access the the data directory inside it (2. ls -l) as mediaU:serviceG
  • In addition I wanna access, modify and move files with my windows user without being part of the service group. Because of this I have setup SGID and ACL on the /media/data/media folder. The ACL was set recursive as follows:
/srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281/media/data# getfacl media/
# file: media/
# owner: mediaU
# group: serviceG
# flags: -s-
user::rwx
group::rwx
group:extUserG:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:extUserG:rwx
default:mask::rwx
default:other::r-x

So far so good. mediaU:serviceG has RWX permissions (2775).
My user is part of the group extUserG also with 775 permission.

My issue and how I tested it under the root user executing commands via su:

  • Works:
    root@NAS01:/srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281/media/data# su mediaU -c 'mkdir dir-mediaU'
  • Doesn't work:
    root@NAS01:/srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281/media/data# su appoxo -c 'mkdir dir-extUserG' mkdir: cannot create directory ‘dir-extUserG’: Permission denied

BUT if I enter one level deeper inside the freshly created dir-mediaU folder I am able to create files with my personal account:

root@NAS01:/srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281/media/data# cd dir-mediaU/
root@NAS01:/srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281/media/data/dir-mediaU# su appoxo -c 'mkdir dir-extUserG'
root@NAS01:/srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281/media/data/dir-mediaU# ls -l
total 4
drwxrwsr-x+ 2 appoxo serviceG 4096 Oct 13 00:45 dir-extUserG
root@NAS01:/srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281/media/data/dir-mediaU# getfacl dir-extUserG/
# file: dir-extUserG/
# owner: appoxo
# group: serviceG
# flags: -s-
user::rwx
group::rwx
group:extUserG:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:extUserG:rwx
default:mask::rwx
default:other::r-x

So dear Lemmy Community:
Have I done something wrong in my setup or thinking? I have no problem as it is right now but I am sure it will be annoying to troubleshoot in the future so might as well fix it while still setting it up.

Thanks in advance for helping slowly escaping the windows world :)

11
11 comments

  • What is the acl permissions on the media/data folder? That is what the dir-mediaU would inherit.

    I think we need the output of: root@NAS01:/srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281/media# getfacl data

    • Thank you for responding and helping!

      # tree:
├── dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281
│   └── media
│       └── data
│           ├── media
│           ├── recycle_bin
│           ├── test
│           ├── torrents
│           └── usenet

      I assume you mean the actual media directory in level 3 on the tree?

      /srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281/media/data# getfacl media/
# file: media/
# owner: mediaU
# group: serviceG
# flags: -s-
user::rwx
group::rwx
group:extUserG:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:extUserG:rwx
default:mask::rwx
default:other::r-x

      Just in case the data folder in level 2 as well:

      /srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281/media# getfacl data/
# file: data/
# owner: mediaU
# group: serviceG
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:extUserG:rwx
default:mask::rwx
default:other::r-x

      • I haven't done much dicking around with Posix ACLs.

        And I'm not completely sure what you want to do, even after looking at your comment a couple of times.

        If the issue is that you want this operation to succeed:

        Doesn’t work: root@NAS01:/srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281/media/data# su appoxo -c 'mkdir dir-extUserG' mkdir: cannot create directory ‘dir-extUserG’: Permission denied

        Then it's presumably that the permissions on media/data aren't what you want.

        If I understand correctly:

        • You have a user appoxo which belongs to the group extUserG. That is, if you type groups as that user, then you see "extUserG" listed.

        • You want this user to have write permissions to /srv/dev-disk-by-uuid-e3e0eac5-806a-44e9-a0e9-07fb99a18281/media/data.

        You can see from your getfacl data/ command that the data directory doesn't grant write privileges to extUserG. It has a default ACL entry granting write privileges, so things created in that directory will inherit an ACL entry. But data itself doesn't have an ACL entry granting write privleges to extUserG.

        You want data to have this ACL entry when you run getfacl data:

        group:extUserG:rwx

        as well as the default ACL entry:

        default:group:extUserG:rwx

        Right now, it only has the default ACL entry:

        default:group:extUserG:rwx

        If you run sudo setfacl -m g:extUserG:rwx data in the top-level media directory, then that should add the ACL entry, and I'd expect that user appoxo would subsequently be able to create and modify files and directories directly inside data.

        Note that I'm not saying that this is necessarily sufficiently-restrictive to do the other things you want, like constraining your containers or whatnot, so don't expect me not mentioning that to be a thumbs-up there -- I mean, we can't see the ACL on the top-level media/, so no way to confirm that.

        One possible concern: I think that a process with serviceG in its list of groups -- such as what I expect your docker containers would be -- can remove the extUserG ACL entry. That is, they could prevent appoxo from being able to fiddle with files that they have created. That may or may not be a problem for you. Appoxo can ultimately re-add that ACL entry to any thing under data from which the ACL entry is removed, as long as they have write access to data (which should be the case after you run the command above I mentioned. But appoxo doesn't quite, as things stand, act like "root" for the whole directory hierarchy, doesn't just bypass permissions.

11 comments