Jail access to /mnt with AD permissions

[drdoo]

Hello everyone,

Pretty new to nas4free and learning alot of stuff.
I've set up my nas4free and i'm using AD permissions for my datasets (owner administrator:domain_admins)

Now i have installed a jail for my music (Subsonic) i've mounted my music folder inside the jail.
Under root user this works fine. But since i want subsonic to be accessible over de web i don't want to run subsonic as root user but rather user : subsonic (or whatever).

Now the problem, this user off course doesn;t have access to my music folder since its a local user inside the jail.

The permission on the mounted folder are : 71 drwxrwx---+ 296 10500 10512 296 Mar 15 14:20 music

How would i go about giving this newly created users access to my music collection? (I'd rather not give everyone read rights).

Thanks in advance!

[dreamcat4]

You should try to create the subsonic user (the one inside the jail) with the same UID / GID as those files it wants to access in your Music folder.

10500 10512

They look unusually high though. Most systems start issuing UID/GIDs from 1000 upward.

[drdoo]

I set up my permissions using this guide;
http://n4f.siftusystems.com/index.php/2 ... ions-acls/

So not sure about the UID numbers....maybe it's a windows thing?

Gonna try tonight to set it up like you said.
Wouldn't this be the same as running the application under root user though?

Thanks so far.

[dreamcat4]

What I meant was that a jail is self-contained environment, so inside the jail it has it's own list of users. Which is seperate from the NAS4Free list of users. You have to make the UID and GID numbers "match up", so that the 2 seperate environment think the files belong to the same user.

I set up my permissions using this guide;
http://n4f.siftusystems.com/index.php/2 ... ions-acls/

I don't have Active Directory - but basically that is a Windows thing (not a UNIX thing). What that means is your UNIX-based audio/music program in a UNIX FreeBSD jails probably aren't going to be aware of the AD ACL metadata that windows sees. (That ActiveDirectoy permissions / metadata may be stored on the drive in some UNIX manner). It only comes into play when different windows machines are requesting files from SAMBA.

So not sure about the UID numbers....maybe it's a windows thing?

UID = "USER ID" = a positive number from 0 upwards.
GID = "GROUP ID" = a number from 0 upwards.

That is a UNIX thing.

Wouldn't this be the same as running the application under root user though?

ROOT is UID=0 and GID=0, but you don't want it to write your files as ROOT.

So. On the UNIX side. In the SAMBA settings pages, you can tell it which NAS4Free username for SAMBA to write the files as... on the UNIX disk. Then those files will have the NAS4Free UID and GID numbers.

If you create the same username in the jail, you should also set the same UID and GID numbers as was outside the jail (the SAMBA unix username in NAS4Free host).

Use "pw" command inside the jail to do this. Type "pw help", or go read the documentation about it

http://www.freebsd.org/cgi/man.cgi?query=pw

For example:

In NAS4Free, type "pw user show <samba_username> -P"

And you will see two numbers # in the top line next to "Login name:" and "Group:"
They are UID / GID

Then in jail, either "pw user add help" or "pw user mod help", depending if you already created the user or haven't made it yet. There are more switches to set the UID / GID.

Hope it helps.

[drdoo]

Thank you for you response.
I don't think i have made myself clear

What i meant with UID numers being a windows thing, was a comment at your response that they looked unusually high.
Basicly i've set the UNIX permissions to a new owner and group...being my AD Administrator and domain administrator group. So from what i understand, replacing the normal UNIX access.

So if i access the SAMBA share from my windows machine with Administrator, the files are being written as owner Administrator.

Now what i meant by "Wouldn't this be the same as running the application under root user though?"is poorly worded on my part.
I meant...following the linked guide, i have replaced the permissions on my entire ZFS pool to my windows accounts. starting at /mnt/tank01
So what i really meant, creating a user with the same UID as that windows Administrator user would i effect mean that that user in the jail, would have ALL right to the zfs pool /mnt/tank01.
In effect making it a full admin on all my files...except the nas4free core files.

Am i making sense?

[dreamcat4]

So what i really meant, creating a user with the same UID as that windows Administrator user would i effect mean that that user in the jail, would have ALL right to the zfs pool /mnt/tank01.
In effect making it a full admin on all my files...except the nas4free core files.

Am i making sense?

Well I think I understand now. The only reason "that's like root" is because you have chosen to make everything on the entire volume owned by the same single user account. Now I don't use AD samba, don't need it, don't want it, couldn't care less about ActiveDirectory.

Because AD is only really useful in an organizational environment for multiple-windows AD users, each with their own files (multiple different file owners). Since you made everything the same 1 user (be it Admin or somebody else), the value of AD's features is diminished. You might instead choose not use AD at all on SAMBA, which makes everything simpler, and like "normal" SAMBA.

What I can tell you is this:

If you put in the jail's fstab a nullfs mount to only that specific Music subfolder, then the jail can only see that Music folder (and subfolders inside). Not the whole /mnt/tank01 zfs volume. Which should be the correct way to configure the jail in any case (with or without AD). Since your music program only needs to see media files in that music folder, right?

[drdoo]

Yes thats correct.

I have setup multiple users with different sets of access rights.
You have to set up the permissions the way it is now, so you can modify further user rights through windows acls.
From the windows share i can now set more users/groups on one directory with different access permissions (not sure if this is at all possible with UNIX permissions, have to read up on it)

Is there "no" way for an unauthorized user to gain access (via the subsonic user)to my /mnt/tank01 pool?
That's all i'm trying to accomplisch...I've mounted the music folder read only so no modifications are posible from within the jail.

[dreamcat4]

Is there "no" way for an unauthorized user to gain access (via the subsonic user)to my /mnt/tank01 pool?
That's all i'm trying to accomplisch...I've mounted the music folder read only so no modifications are posible from within the jail.

Correct - no it can't. It is absolutely the way FreeBSD jails are designed to work, like more secure version of a "chroot". No process inside the jail (even the jail's "root" user) can ever see higher up than the subfolders that are mounted inside it. No other folders in /mnt/tank01 are ever going to be accessible.

And since you mounted your Music folder as 'ro' in the fstab then even that visible part isn't vulnerable either - no user inside the jail (even the same UID/GID as the ad Administrator, or the jail's 'root' user) can ever modify those visible Music files. The only thing vulnerable to attack is the filesystem of the jail itself... which (if ever compromised). And that possibility (if ever happens) isnt going to be any great loss, other than the effort of configuring, installing subsonic, and setting up the jail.

[drdoo]

Thanks for your help dreamcat