search

Blaok / nextcloud-inotifyscan

Automatically scan external changes for Nextcloud local storage.
MIT License
48 stars 14 forks source link

Question, possible feature request concerning SSHFS user/group #24

Open wildernessfamily opened 1 year ago

wildernessfamily commented 1 year ago

Hi, I've been using iNotifyScan for some time. It works flawlessly. It's amazing! I switched from using SAMBA to SSHFS. I don't want all my users (family members) using the same SSH key for user www-data. Example, lets say my SSH username is david123. When I create the SSHFS mount to my NextCloud files and I transfer files they are written as user david123 and group david123. iNotifyScan picks up the files and adds them to NextCloud database but in I can't access them in NextCloud UI. I get permission denied due to the user/group naming. When using iNotifyScan, is there a possibility to be able to update the user/group of all of the scanned files for any and all users to www-data:www-data during the scan?

Thank you for your time and hard work creating iNotifyScan. Very much appreciated!

Blaok commented 12 months ago

Hi,

I'm very glad that you find this project useful :)

Regarding your feature request, let me first confirm if I understand it correctly:

  1. You have a server running Nextcloud as user www-data; the same server also serves files as user david123 via SSH;
  2. Files uploaded via SSH/SSHFS is not accessible by www-data because they have user/group david123. Therefore, the Nextcloud web server cannot access them;
  3. Your solution is to run nextcloud-inotifyscan as root so that it not only adds files to the Nextcloud database, but also updates the user and group so that the web server can access them as www-data.

I think this is a valid and probably very common use case, but I wouldn't recommend your solution, for two reasons: 1) updating user/group is not intended usage of nextcloud-inotifyscan, especially given the fact that it requires privileges, and 2) there is a simpler and (arguably) better solution. In fact, I have exactly the same use cases and have been using the following solution for years, but never was able to document it anywhere. This might be a good time to do it. The idea is to attack the fact that

Files uploaded via SSH/SSHFS is not accessible by www-data because they have user/group david123.

This is doable using ACL to make new files and directories inherit group from their parent directory. Step-by-step example:

  1. Select or create a group whose members are sharing (read & write) accesses, e.g., family;
  2. Add users to the group, e.g., usermod -a -G family www-data; usermod -a -G family david123;
  3. Change the group of files that you intend to share, e.g., chgrp family -R /path/to/shared/dir/;
  4. Make the files writable by the group, e.g., chmod g+w /path/to/shared/dir/;
  5. Make new files/directories inherit the group, e.g., chmod g+s /path/to/shared/dir/;
  6. Make new files/directories inherit the mode so that new files/directories remain writable by the group, e.g., setfacl -dm g::rwx /path/to/shared/dir/.

New files and directories under /path/to/shared/dir/ will now have group family even if they are created by the www-data user via Nextcloud or by the david123 user via SSH. Both users are able to read & write files owned by group family, too. New subdirectories will inherit the same property. Existing files and directories will need to be updated in a similar way as /path/to/shared/dir/, possibly with the help of find -type d/f -exec.