Wait never mind. It only builds jails for them if they're in the sftp-access group. That makes sense.
OK, I got everything workin at least for now. Thanks for the advice!
Beiträge von BenMcLean
-
-
I basically fixed that by remaking all of my docker containers from their compsoes.
But now when I set up a user/folder pair in the SFTP plugin, that user isn't stuck in a jail. They're able to see everything! Why's that happening?
-
The resetperms plugin seems to have somehow taken away execute permissions from all my docker containers, which I didn't think was supposed to happen?
But now none of them will start except portainer. They all say crap like "crond: can't execute '/bin/ash' for user root" -
So what I gather from this is that when it says, "Administrator: read/write, Users: read only, Others: no access" it should instead say, "Owner, Group, Others" because that's what it actually means. The page you linked even has to add a picture in order to explain that's what these terms really mean.
-
...or actually I don't.
So ... my personal account is supposed to be an administrator. It probably isn't, because anything that's supposed to be true is almost guaranteed to be false, especially when the computer, the documentation and forum posts on Google all tell you it's true.
So, I used resetperms to make my shared folder in "Administrator: read/write, Users: read only, Others: no access" mode.
And I'm an administrator, so I should have read/write based on what that says.
But I get access denied when I try to connect with Samba
So I must not be an administrator.
Apparently an openmediavault-admin is different from an administrator. Why.
This page doesn't say how to make a user an administrator for really real. It just says how to make a fake openmediavault-admin administrator: https://docs.openmediavault.or…ss_rights_management.html
How do you make an account an "actual for real no joke stop wasting my time" administrator?
-
Sorry about that last post. I tried the exact same thing again doing nothing different that I am aware of and the program worked as expected the second time. What. Oh well, at least I have got the permissions fixed now.
-
Definitely don't have to use them. There is a resetperms plugin that can reset them.
That is super helpful to know. I will run that and then never touch ACLs again, at least on this system! Thanks
-
About ACLs: Since I'm new, I wasn't aware that leaving ACLs alone was an option. I thought I had to set both in order for access to work. How do I just clear them out or reset them to default in case I clicked anything in there already? (don't remember, it's been a while)
-
How many users are in these groups?
Are you only sharing data via sftp?
I hate ACLs and recommend not using them. So, you won't get any help from with them.
Your groups won't be helpful for the sftp plugin.
How many users:
admin group: one
end-users group: currently four but I expect to expand this. making new users should be easy.
I have a lot of shared folders. Those three I described are just categories.
Only sftp? The server does a few different things, like Jellyfin and a few other web apps. I also use samba to move files to and from it on my LAN. Why is it relevant whether I have any other services going?(later edit) Oh I see, it's because I mentioned other services in my original post. Yeah, I used to be running regular FTP over TLS and I also tried NFS for a bit but I've turned those off now. I expect it's just going to be SFTP for remote and Samba for LAN.
-
The reason I was thinking groups are kind of useless is because there doesn't seem to be a way to manage remote users with them. You don't want to do samba over the Internet. SFTP is what you should give remote users, right? But it's remote users who you need groups to manage. People in the same building might as well share an account since they have physical access to the computer anyway.
-
Just because they don't do much for the sftp plugin? The sftp-access group is determining whether the user has access. That is pretty important. In omv, you can give access to a shared folder by group. That works very well for samba. There are many uses for groups. Not sure what else you are looking for.
OK so ... I have an admin group and an end-users group.
My personal account is in the admin group.
Multiple users are in the end-users group.
Shared folder "Alpha" (made up name) should be read/write for admins and read-only for end-users.
Shared folder "Beta" should be read/write for admins and invisible (or at least inaccessible) to end-users.
Shared folder "Gamma" should be read/write for everyone.What would I need to click on the Permissions, ACL and SFTP plugin screens in OpenMediaVault to make that happen?
Which of those actions would be one for each user and which would be for the groups? -
Based on my research so far, there is no good way to do this. There are ways to do this, but all of them are bad.
Groups might as well not exist, because they won't do much.
-
You could try symlinks but I would not expect this to be allowed to work. The entire point of jails is to prevent the user from leaving them.
Oh ... you're saying I could do something like this, but it would need to be an actual bind mount, not a symlink?
Sorry, I wasn't familiar with the difference. -
This is what chroot does and a group can't chroot.
Good decision.
It is basically a jail that only allows you to see what is in the directory you chroot to. The plugin adds bind mounts to the shared folders you select and puts them in the user's jail folder. Then when that user logs in, the user is automatically chroot'd to the jail folder. They only see the folders that are bind mounted into it. Very secure.
Could I make one jail folder for the entire group containing symlinks to the folders I actually want to share, and chroot each user to that same jail folder?
-
Unless you are trying chroot access for these users so they can't see any other folders, there is no reason you can't use the regular ssh server and just change the shared folders group ownership to the groups you want. No need to use a docker.
Ideally, my users should only be seeing the shared folders they have access to when they log in and should not be able to see anything else on the system.
I had been using the FTP plugin for a while but am trying to set up SFTP instead now for security.
But I am still relatively new to Linux. Had to look up what chroot was based on your post.
-
Sorry that is correct.
The checkbox clearly says what it will do. If you check it, only users in the sftp-access group will be able to access the sftp server started by the plugin.
Rewrite the plugin.
Good to know. Thanks for your patience and giving a definitive answer on this.
I think the solution I need is some kind of dockerized sftp instead of this plugin. Probably sftpgo https://github.com/drakkan/sftpgo/
-
No response on this at all!?
-
I'm trying to set up SFTP.
For other services, I have group permissions set up. My users are in different groups based on what permissions they should have.
However, the SFTP service in the openmediavault web UI seems to only allow assigning folder access to individual users, not groups.
There's an "AllowGroups" checkbox which appears to do nothing.
How do I assign shared folder access by user group?
-
Can you distinguish, if the disk is read only or you do not have write permissions?
You are trying to share a shared folder whch could not chgrp users, whic his required for OMV to do the sharing.
Switch to ext4 or a file system which supports Unix permissions.
AFAIK, Microsoft ensured that NTFS was POSIX compliant when it responded to an Air Force bid and met the FIPS-151 standard. https://en.wikipedia.org/wiki/Microsoft_POSIX_subsystem
The Linux kernel fully supports NTFS now and I believe that's with the full support of Microsoft, not something they're fighting against. https://www.kernel.org/doc/htm…st/filesystems/ntfs3.html
Ubuntu did what I'm trying to do here without problems. Something about OpenMediaVault must be different.
-
Could it be related to the fact that I'm trying to share the root?
