Closed EuleMitKeule closed 7 months ago
Sorry for re-opening this issue, but I think it doesn't make any sense to open a new issue.
As EuleMitKeule said the folder should be "777" and "666" to files. Actually you'll override everything (recursive) with 777 in the newest commit: https://github.com/Commifreak/unraid-appdata.backup/commit/149c8ad0091ea181f22b6315b195572ed689e8ef
Also if the files owned by nobody:users it should be definitively enough to set them 750 to folder and 640 to files. This are backups which my include sensitive data as for example in my openHAB there's a cloud password included. So I would recommend to use root:users instead.
I'm not very confirm with PHP but the permissions should look like this:
exec("chown -R root:users " . escapeshellarg($abDestination)); // Set all permissions to root user and "unraid-user" group
exec("chmod u=rwx,g=rx,o= " . escapeshellarg($abDestination)); // Set folder permission to root (rwx) users (rx) anyone (*none*)
exec("chmod u=rw,g=r,o= " . escapeshellarg($abDestination . "/*")); // set files permission to root (rw) users (r) anyone (*none*)
Running this seems to be fine (tested via ssh) as every created user should be in users group (id: 100). Also the user cannot modify any of the files. If somebody needs to modify the file it should download to the computer or should be modified via root shell (ssh).
And well you're right, we are all also be able to limit access/permission via share export.
This are backups which my include sensitive data
Everything inside Unraid is running with root privileges. Sorry, but a 777 on backups is the smallest issue there. However, I could adjust it again to have rwx,r-x,-, on the ab_ folder itself and rw-,r-,- on its contents to make it right.
Its now changed:
/**
* Adjusting backup destination permissions (for this run)
*/
exec("chown -R nobody:users " . escapeshellarg($abDestination));
exec("chmod -R u=rw,g=r,o=- " . escapeshellarg($abDestination));
exec("chmod u=rwx,g=rx,o=- " . escapeshellarg($abDestination));
This changes owner to nobody:users`, sets initially everything to rw,r,- and afterwards makes the ab_folder accessible.
Thank you for the fix! Maybe it would make sense to allow the user to set the wanted permissions that will be applied via the UI?
Yea. Would be nice. But if it fits… Advanced users could easily setup a postRun script that does it. Well see
Directories and files created by the plugin should be owned by
nobody:users
and have permissionsrwxrwxrwx
for directories andrw-rw-rw
for files, in order for the backup share to be accessible via SMB and writable by the users assigned in the share configuration.