brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-08 21:34:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: acl on smb shares in truenas

Browse Source
This commit is contained in:
Michele Cereda
2023-09-10 15:38:43 +02:00
parent 719fb59e32
commit fc78d8e803
5 changed files with 155 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
knowledge base/acl.md Normal file
View File

@@ -0,0 +1,98 @@
# Access Control Lists assignment
## Table of contents <!-- omit in toc -->
1. [TL;DR](#tldr)
1. [Set default permissions for files and directories](#set-default-permissions-for-files-and-directories)
1. [Further readings](#further-readings)
## TL;DR
List of [permission tags][syntax descriptions for setting acls] and [inheritance options][acl inheritance].
```sh
# Install the tool.
apt install 'acl'
dnf install 'acl'
# Show ACLs.
getfacl 'test/declarations.h'
# Set permissions for users.
setfacl -m 'u:username:rwx' 'test/declarations.h'
# Add permissions for users.
# Position number starts from 0.
setfacl -a '1' 'u:username:rwx' 'test/declarations.h'
setfacl -a '5' 'owner@:rw-p-daARWcCos:f------:allow' 'path/to/file'
setfacl -a '6' 'owner@:rwxpDdaARWcCos:-d-----:allow' 'path/to/dir'
# Set permissions for groups.
setfacl -m "g:groupname:r-x" 'test/declarations.h'
# Add permissions for groups.
# Position number starts from 0.
setfacl -a '2' 'g:groupname:r-x' 'test/declarations.h'
setfacl -a '7' 'group@:r--p--aAR-c--s:f------:allow' 'path/to/file'
setfacl -a '8' 'group@:r-xp--aAR-c--s:-d-----:allow' 'path/to/dir'
# Add permissions for everyone else (others).
# Position number starts from 0.
setfacl -a '3' 'o::r-x' 'test/declarations.h'
setfacl -a '9' 'everyone@:r-----a-R-c---:f------:allow' 'path/to/file'
setfacl -a '10' 'everyone@:r-x---a-R-c---:-d-----:allow' 'path/to/dir'
# Make children files and directories inherit acls.
# A.K.A. sets default ACLs.
setfacl -d -m 'u:dummy:rw' 'test'
# Remove specific acls.
setfacl -x 'u:dummy:rw' 'test'
# Remove all ACL entries except for the ones synthesized from the file mode.
# If a 'mask' entry was in them, the resulting ACLs will be set accordingly.
setfacl -b 'test/declarations.h'
```
## Set default permissions for files and directories
Suppose you want a folder to set the default permissions of newly created files and directories to `0664` (`-rw-rw-r--`) and `0775` (`drwxrwxr-x`) respectively.
The best way to achieve this would be to set up it's ACLs accordingly:
| Who | ACL Type | Permissions | Flags | Translated `getfacl` Tags | Resulting Unix Permissions |
| --------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | ---------------------------------------- | -------------------------- |
| owner@ | Allow | Read Data, Write Data, Append Data<br/>Read Named Attributes, Write Named Attributes<br/>Read Attributes, Write Attributes<br/>Delete<br/>Read ACL, Write ACL<br/>Write Owner<br/>Synchronize | File Inherit | ` owner@:rw-p-daARWcCos:f------:allow` | `-rw-------` |
| owner@ | Allow | Read Data, Write Data, Append Data<br/>Read Named Attributes, Write Named Attributes<br/>Execute<br/>Read Attributes, Write Attributes<br/>Delete, Delete Child<br/>Read ACL, Write ACL<br/>Write Owner<br/>Synchronize | Directory Inherit | ` owner@:rwxpDdaARWcCos:-d-----:allow` | `drwx------` |
| group@ | Allow | Read Data, Write Data, Append Data<br/>Read Named Attributes, Write Named Attributes<br/>Read Attributes, Write Attributes<br/>Delete<br/>Read ACL, Write ACL<br/>Write Owner<br/>Synchronize | File Inherit | ` group@:rw-p-daARWcCos:f------:allow` | `----rw----` |
| group@ | Allow | Read Data, Write Data, Append Data<br/>Read Named Attributes, Write Named Attributes<br/>Execute<br/>Read Attributes, Write Attributes<br/>Delete, Delete Child<br/>Read ACL, Write ACL<br/>Write Owner<br/>Synchronize | Directory Inherit | ` group@:rwxpDdaARWcCos:-d-----:allow` | `d---rwx---` |
| everyone@ | Allow | Read Data<br/>Read Named Attributes<br/>Read Attributes<br/>Read ACL | File Inherit | `everyone@:r-----a-R-c---:f------:allow` | `-------r--` |
| everyone@ | Allow | Read Data<br/>Read Named Attributes<br/>Execute<br/>Read Attributes<br/>Read ACL | Directory Inherit | `everyone@:r-x---a-R-c---:-d-----:allow` | `d------r-x` |
```sh
# Set default permissions of '0664' for files and '0775' for directories.
# Includes ACL-type permissions accordingly.
setfacl -m 'owner@:rw-p-daARWcCos:f------:allow' 'path/to/dir'
setfacl -a '1' 'owner@:rwxpDdaARWcCos:-d-----:allow' 'path/to/dir'
setfacl -m 'group@:r--p--aAR-c--s:f------:allow' 'path/to/dir'
setfacl -a '3' 'group@:r-xp--aAR-c--s:-d-----:allow' 'path/to/dir'
setfacl -m 'everyone@:r-----a-R-c---:f------:allow' 'path/to/dir'
setfacl -a '5' 'everyone@:r-x---a-R-c---:-d-----:allow' 'path/to/dir'
```
## Further readings
- [Access Control Lists (ACL) in Linux]
- [`setfacl` FreeBSD manual page][setfacl freebsd manual page]
- [Syntax descriptions for setting ACLs]
- [ACL inheritance]
<!--
References
-->
<!-- Others -->
[access control lists (acl) in linux]: https://www.geeksforgeeks.org/access-control-listsacl-linux/
[acl inheritance]: https://docs.oracle.com/cd/E19253-01/819-5461/gbaax/index.html
[setfacl freebsd manual page]: https://man.freebsd.org/cgi/man.cgi?setfacl
[syntax descriptions for setting acls]: https://docs.oracle.com/cd/E19253-01/819-5461/gbaay/index.html

41
knowledge base/diy nas/v1.md
View File

@@ -4,7 +4,11 @@
1. [Hardware](#hardware)
1. [Software](#software)
1. [Operational issues](#operational-issues)
1. [Operational burdens](#operational-burdens)
1. [Reserved managed port for Proxmox](#reserved-managed-port-for-proxmox)
1. [Disk passthrough](#disk-passthrough)
1. [Default permissions on files and directories](#default-permissions-on-files-and-directories)
1. [Default permissions in SMB shares](#default-permissions-in-smb-shares)
1. [Further readings](#further-readings)
1. [Sources](#sources)
@@ -24,11 +28,15 @@
[Proxmox] on bare metal, running [TrueNAS Core] as VM.
## Operational issues
## Operational burdens
### Reserved managed port for Proxmox
One NIC is used by Proxmox as _management port_.<br/>
This one is given a fixed IP address and bridged from inside the system.
### Disk passthrough
To allow for disk suspension and SMART checks from the VM, Proxmox needs to **directly** attach the disks to it:
```sh
@@ -45,7 +53,32 @@ $ qm set 100 -sata2 /dev/disk/by-id/ata-ST4000VN008-2DR166_ZGY9WL4Z
$ qm set 100 -sata3 /dev/disk/by-id/ata-ST4000VN008-2DR166_ZGY9W66G
```
Wanting to aggregate
### Default permissions on files and directories
Suppose you want a shared dataset to set the default permissions of newly created files and directories to `0664` and `0775` respectively.
The best way to achieve this would be to set up the dataset's ACLs accordingly:
| Who | ACL Type | Permissions Type | Permissions | Flags Type | Flags | Translated `getfacl` Tags | Resulting Unix Permissions |
| --------- | -------- | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | ----------------- | ---------------------------------------- | -------------------------- |
| owner@ | Allow | Advanced | Read Data, Write Data, Append Data<br/>Read Named Attributes, Write Named Attributes<br/>Read Attributes, Write Attributes<br/>Delete<br/>Read ACL, Write ACL<br/>Write Owner<br/>Synchronize | Advanced | File Inherit | ` owner@:rw-p-daARWcCos:f------:allow` | `-rw-------` |
| owner@ | Allow | Basic | Full Control | Advanced | Directory Inherit | ` owner@:rwxpDdaARWcCos:-d-----:allow` | `drwx------` |
| group@ | Allow | Advanced | Read Data, Write Data, Append Data<br/>Read Named Attributes, Write Named Attributes<br/>Read Attributes, Write Attributes<br/>Delete<br/>Read ACL, Write ACL<br/>Write Owner<br/>Synchronize | Advanced | File Inherit | ` group@:rw-p-daARWcCos:f------:allow` | `----rw----` |
| group@ | Allow | Basic | Full Control | Advanced | Directory Inherit | ` group@:rwxpDdaARWcCos:-d-----:allow` | `d---rwx---` |
| everyone@ | Allow | Advanced | Read Data<br/>Read Named Attributes<br/>Read Attributes<br/>Read ACL | Advanced | File Inherit | `everyone@:r-----a-R-c---:f------:allow` | `-------r--` |
| everyone@ | Allow | Advanced | Read Data<br/>Read Named Attributes<br/>Execute<br/>Read Attributes<br/>Read ACL | Advanced | Directory Inherit | `everyone@:r-x---a-R-c---:-d-----:allow` | `d------r-x` |
#### Default permissions in SMB shares
A simpler but arguably worse way to achieve a similar result **only for SMB shares** is by using the _mask_ `smb.conf` additional parameters in the share definition:
```txt
create mask = 664
directory mask = 775
```
If a dataset has no ACLs set and you create a SMB share for it, you are asked to create them for its filesystem.<br/>
You can cancel at this point and go for the additional parameters instead.
## Further readings
@@ -56,6 +89,7 @@ Wanting to aggregate
All the references in the [further readings] section, plus the following:
- [The Perfect Home Server 2023]
- [How to run TrueNAS on Proxmox?]
<!--
References
@@ -65,6 +99,7 @@ All the references in the [further readings] section, plus the following:
[corsair rm850e]: https://www.corsair.com/ww/en/p/psu/cp-9020249-ww/rme-series-rm850e-fully-modular-low-noise-atx-power-supply-cp-9020249-ww
[crucial ct2k16g4sfra32a]: https://eu.crucial.com/memory/ddr4/ct2k16g4sfra32a
[fractal design node 304]: https://www.fractal-design.com/products/cases/node/node-304/black/
[how to run truenas on proxmox?]: https://www.youtube.com/watch?v=M3pKprTdNqQ
[intel celeron n5105]: https://www.intel.com/content/www/us/en/products/sku/212328/intel-celeron-processor-n5105-4m-cache-up-to-2-90-ghz/specifications.html
[seagate ironwolf st4000vn008 4tb]: https://www.seagate.com/products/nas-drives/ironwolf-hard-drive/
[the perfect home server 2023]: https://www.youtube.com/watch?v=vjDoQA4C22c

10
knowledge base/freebsd.md
View File

@@ -80,6 +80,16 @@ pkg install -y 'zsh' 'zsh-autosuggestions'
pkg upgrade
pkg install -y 'zsh' 'zsh-autosuggestions'
# List installed packages.
pkg info
# Show information about installed packages.
pkg info 'binutils'
pkg info --list-files 'binutils'
# Find what package installed specific files.
pkg which '/usr/bin/zstd'
# Check for known vulnerabilities in *installed* applications.
pkg audit -F
pkg audit -Fr 'sqlite'

44
knowledge base/linux/acl.md
View File

@@ -1,44 +0,0 @@
# Access Control Lists assignment
## Table of contents <!-- omit in toc -->
1. [TL;DR](#tldr)
1. [Further readings](#further-readings)
## TL;DR
```sh
# Install the tool.
apt install 'acl'
dnf install 'acl'
# Show acls of files.
getfacl 'test/declarations.h'
# Set permissions for users.
setfacl -m 'u:username:rwx' 'test/declarations.h'
# Set permissions for groups.
setfacl -m "g:groupname:r-x" 'test/declarations.h'
# Make children files and directories inherit acls.
# A.K.A. sets default acls.
setfacl -d -m 'u:dummy:rw' 'test'
# Remove specific acls.
setfacl -x 'u:dummy:rw' 'test'
# Remove all acls.
setfacl -b 'test/declarations.h'
```
## Further readings
- [Access Control Lists (ACL) in Linux]
<!--
References
-->
<!-- Others -->
[access control lists (acl) in linux]: https://www.geeksforgeeks.org/access-control-listsacl-linux/

10
knowledge base/mount samba shares from a unix client.md
View File

@@ -8,12 +8,17 @@
## TL;DR
```sh
sudo mount -t cifs -o user=my-user //nas.local/shared_folder local_folder
# Mount samba shares as user 'myself'.
# Such user and a group of the same name exist on the server.
# Show permissions on directories as octal 775 and on files as octal 664.
sudo mount '//nas.lan/shared/folder' 'local/folder' -t 'cifs' \
-o 'user=myself,uid=myself,gid=myself,dir_mode=0775,file_mode=0664'
```
## Further readings
- [Mounting samba shares from a unix client]
- [`mount.cifs` man page][mount.cifs man page]
<!--
References
@@ -21,3 +26,6 @@ sudo mount -t cifs -o user=my-user //nas.local/shared_folder local_folder
<!-- Upstream -->
[mounting samba shares from a unix client]: https://wiki.samba.org/index.php/Mounting_samba_shares_from_a_unix_client
<!-- Others -->
[mount.cifs man page]: https://manpages.debian.org/testing/cifs-utils/mount.cifs.8.en.html