Hello everyone. Been debugging this for 4 days and reached rock-bottom... This is my last resort. I'll show what's going wrong first, then what I tried, and lastly all the configs I can find.
TLDR Issue:
- UID 1000 and 12345 and have NO write permissions on a MergerFS shared folder (additionally exposed through NFS and SMB)
- all other UID's have correct/expected permissions
I have absolutely no clue how and why that happened.
Commands that are faililng(/working):
root@omv:~$ sudo --user=foo touch /export/media/foo # whyyyyyyyyyyyyyyyyyyy is it failing
touch: cannot touch '/export/media/foo': Permission denied
root@omv:~$ sudo --user=bar touch /export/media/bar && echo Success
Success
root@omv:~$ # if I were to create a user with UID 12345, that user would also fail to create any files here
I want to note that changing the permissions of a user on a shared folder in the OMV webinterface resolves the issue, but it introduces an ACL entry that should NOT be needed according the POSIX permission rules! Both users are in the www-data group and the /export/media folder belongs to www-data:www-data with rwxrwsr-x permissions. Thus, user foo should be able to create a file.
The issue does also not exist when I manually create a folder in the e.g. /root or even / and give it the same ownership & permission & ACLs. It's only /export/media.
Configs
Folder permissions and ownership of relevant folder
root@omw:~$ ls -ld /export/media
drwxrwsr-x+ 4 www-data www-data 4096 Oct 21 20:17 /export/media
root@omw:~$ getfacl /export/media
getfacl: Removing leading '/' from absolute path names
# file: export/media
# owner: www-data
# group: www-data
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:other::r-x
root@omw:~$ namei -l /export/media
f: /export/media
drwxr-xr-x root root /
drwxr-xr-x root root export
drwxrwsr-x www-data www-data media
Display More
UIDs, GIDs, and Group memberships of relevant users (foo and bar users created via OMV webinterface)
root@omw:~$ id
uid=0(root) gid=0(root) groups=0(root)
root@omw:~$ id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
root@omw:~$ id foo
uid=1000(foo) gid=100(users) groups=100(users),33(www-data)
root@omw:~$ id bar
uid=1001(bar) gid=100(users) groups=100(users),33(www-data)
NFS exports (generated by OMV)
root@omw:~$ cat /etc/exports
# This file is auto-generated by openmediavault (https://www.openmediavault.org)
# WARNING: Do not edit this file, your changes will get lost.
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
/export/media 192.168.0.214(fsid=9b734414-6b87-4b2d-bc13-c1c1721600f3,rw,subtree_check,insecure)
/export 192.168.0.214(ro,fsid=0,root_squash,no_subtree_check)
FUSE conf
root@omw:~$ cat /etc/fuse.conf
# /etc/fuse.conf - Configuration file for Filesystem in Userspace (FUSE)
# Set the maximum number of FUSE mounts allowed to non-root users.
# The default is 1000.
#mount_max = 1000
# Allow non-root users to specify the allow_other or allow_root mount options.
#user_allow_other
MergerFS mount options
root@omw:~$ mount | grep mergerfs
mediastorage:a2c208ea-ee4c-49ee-8172-39a1431c6037 on /srv/mergerfs/mediastorage type fuse.mergerfs (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other)
mediastorage:a2c208ea-ee4c-49ee-8172-39a1431c6037 on /export/media type fuse.mergerfs (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other)
Subordinate UID/GID
root@omw:~$ tail -n9 /etc/sub*
==> /etc/subgid <==
foo:100000:65536
bar:165536:65536
==> /etc/subgid- <==
foo:100000:65536
==> /etc/subuid <==
foo:100000:65536
bar:165536:65536
==> /etc/subuid- <==
foo:100000:65536
Display More
There is no SELinux or AppArmor configured/installed.
idmapd.conf
root@omw:~$ cat /etc/idmapd.conf
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if it differs from FQDN minus hostname
# Domain = localdomain
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
Display More
Permissions of /export/media in OMV
ACL's of user foo and bar in OMV
Permissions (NOT ACL) of user foo and bar in OMV
NFS Share settings in OMV
NFS settings in OMV
SMB Settings (should not be relevant, since /export/media is only exposed via NFS)
Dashboard of file systems
System Information
If you need more info, I'd be glad to provide it.