How to create tiered access permission priority in TrueNAS SCALE drive pool ?

[vn_mnm]

Hello everyone,

I am building my TrueNAS SCALE system for home use. I plan to use 2 x 1TB HDDs in a ZFS-mirroring layout. I assume that I plan to have 3 user accounts on my system :

_Admin : myself.
_Mom : child's mother
_Kid : the child.

I want Admin to have absolute authority & priority to access and also modify (e.g. read & write) rights on every folder and file inside the pool. Mom can only see and modify what's in her own folder as well as the Kid's. Kid can only see and modify his own folder only.

How may I achieve this on the TrueNAS SCALE system ?

Thank you very much in advance.

 

[morganL]

It depends on the protocol.. SMB and NFS

You are looking for ACLs with file sharing.. see https://www.truenas.com/docs/scale/shares/

 

[vn_mnm]

It depends on the protocol.. SMB and NFS

You are looking for ACLs with file sharing.. see https://www.truenas.com/docs/scale/shares/

Thks buddy. I will be implementing the M$FT SMB protocol on my TrueNAS SCALE system.

 

[vn_mnm]

@morganL
I am now studying tutorials from the internet to understand the process of creating multiple user accounts as well as the ACL thing. Despite them using TrueNAS Core, I believe the process should look very similar on SCALE. There are 2 approaches to this task :

_Approach #1 : Shell approach :

_Approach #2 : WebGUI :

I have 2 questions on this :

1. (Approach #1) What does the number 770 in the chmod command line mean ?
2. Which approach can possibly solve my problem ?
3. (Approach #1) Why does TrueNAS create a group upon the creation of a new local user account ?

Thank you again in advance buddy for helping me out.

 

[sretalla]

What does the number 770 in the chmod command line mean ?

User (owner) Full access, Group Full access, Everyone (else) No access

 

[sretalla]

Create an account Admin, assign primary group to root (effectively the Administrators group... would be wheel on CORE), should now have access to most stuff by default, but with specific permissions like below, you will still need to handle it.

Create an account Mom, assign primary group Mom.

Create Account Kid, assign primary group Kid.

Make Admin a member of Auxiliary groups Mom and Kid.

Make Mom a member of Auxiliary group Kid.

Make a directory /mnt/tank/Mom

Make a directory /mnt/tank/Kid

chown -R Mom:Mom /mnt/tank/Mom

chown -R Kid:Kid /mnt/tank/Kid

chmod -R 770 /mnt/tank/Mom /mnt/tank/Kid

There you go.

 

[Redcoat]

What does the number 770 in the chmod command line mean ?

In addition to working @sretalla 's excellent response to your questions, for #1 Google "unix permissions table" and you'll find masses of hits with information on permissions notations from which you can pick your poison.

 

[vn_mnm]

Create an account Admin, assign primary group to root (effectively the Administrators group... would be wheel on CORE), should now have access to most stuff by default, but with specific permissions like below, you will still need to handle it.

Create an account Mom, assign primary group Mom.

Create Account Kid, assign primary group Kid.

Make Admin a member of Auxiliary groups Mom and Kid.

Make Mom a member of Auxiliary group Kid.

Make a directory /mnt/tank/Mom

Make a directory /mnt/tank/Kid

chown -R Mom:Mom /mnt/tank/Mom

chown -R Kid:Kid /mnt/tank/Kid

chmod -R 770 /mnt/tank/Mom /mnt/tank/Kid

There you go.

Thanks a lot for your reply buddy. Just out of curiosity, can you also answer my Question 3 ?

 

[sretalla]

can you also answer my Question 3 ?

It's to support doing the kind of thing that I suggested for you. It's not something peculiar to TrueNAS, it's the standard Unix permission model.

 

[vn_mnm]

Create an account Admin, assign primary group to root (effectively the Administrators group... would be wheel on CORE), should now have access to most stuff by default, but with specific permissions like below, you will still need to handle it.

Create an account Mom, assign primary group Mom.

Create Account Kid, assign primary group Kid.

Make Admin a member of Auxiliary groups Mom and Kid.

Make Mom a member of Auxiliary group Kid.

Make a directory /mnt/tank/Mom

Make a directory /mnt/tank/Kid

chown -R Mom:Mom /mnt/tank/Mom

chown -R Kid:Kid /mnt/tank/Kid

chmod -R 770 /mnt/tank/Mom /mnt/tank/Kid

There you go.

@morganL @Kris Moore May I hereby make a feature request for iXsystems to either improve or renovate the ACL's webGUI to become more extensive so that we don't have to mess around with the shell commands in order to take control of user access in our NAS computer(s) ?

Thank you in advance.

 

[Redcoat]

Your best approach will likely be to follow the "Feature Suggestions" section on this documentation page :https://www.truenas.com/docs/contributing/issuereporting/

 

[vn_mnm]

Your best approach will likely be to follow the "Feature Suggestions" section on this documentation page :https://www.truenas.com/docs/contributing/issuereporting/

@morganL @Kris Moore Just done it. Pls endorse my ticket.

https://jira.ixsystems.com/browse/NAS-114443

 

[anodos]

I don't understand. You can do all these things without using the CLI. There's an area where you can choose the owner at the top of the POSIX ACL form. In POSIX1E ACL terms, 770 ==
User Obj rwx
Group Obj rwx
Other ---

 

[vn_mnm]

I don't understand. You can do all these things without using the CLI. There's an area where you can choose the owner at the top of the POSIX ACL form. In POSIX1E ACL terms, 770 ==
User Obj rwx
Group Obj rwx
Other ---

If the webgui is fine then why was Craft Computing using the CLI ?

 

[anodos]

There is online documentation for how to use our permissions manager. If you set a user's home directory to be inside a path in a share, you will be presented with a permissions editor for the user's home directory (path inside share) with your checkboxes. I believe there is even an example of how to do this in our online documentation.

We don't have a full-blown file manager in the webui, but basic share setup can be accomplished quite easily. For the case of SMB share where you want users to each have their own dataset / dynamic share we have a SMB share preset that when combined with our ACL preset for a HOME share will allow access for any number of users without touching the CLI at all.

Likewise, if you have a full-featured SMB client (like on Windows or Linux), you can create directories over the SMB protocol and change file ownership that way (which is the way that people have been administering SMB shares for decades).

 

[vn_mnm]

There is online documentation for how to use our permissions manager. If you set a user's home directory to be inside a path in a share, you will be presented with a permissions editor for the user's home directory (path inside share) with your checkboxes. I believe there is even an example of how to do this in our online documentation.

We don't have a full-blown file manager in the webui, but basic share setup can be accomplished quite easily. For the case of SMB share where you want users to each have their own dataset / dynamic share we have a SMB share preset that when combined with our ACL preset for a HOME share will allow access for any number of users without touching the CLI at all.

Likewise, if you have a full-featured SMB client (like on Windows or Linux), you can create directories over the SMB protocol and change file ownership that way (which is the way that people have been administering SMB shares for decades).

Thanks for your reply. Where is that document ? I highly look forward to it.

Please also consider developing a full-blown file manager in the web gui. Thanks a lot in advance.