search

Commifreak / unraid-appdata.backup

UNRAID AppData backup plugin
21 stars 1 forks source link

Create files and folders with default Unraid permissions and owners #6

Closed EuleMitKeule closed 7 months ago

EuleMitKeule commented 10 months ago

Directories and files created by the plugin should be owned by nobody:users and have permissions rwxrwxrwx for directories and rw-rw-rw for files, in order for the backup share to be accessible via SMB and writable by the users assigned in the share configuration.

realizelol commented 7 months ago

Sorry for re-opening this issue, but I think it doesn't make any sense to open a new issue.

As EuleMitKeule said the folder should be "777" and "666" to files. Actually you'll override everything (recursive) with 777 in the newest commit: https://github.com/Commifreak/unraid-appdata.backup/commit/149c8ad0091ea181f22b6315b195572ed689e8ef

Also if the files owned by nobody:users it should be definitively enough to set them 750 to folder and 640 to files. This are backups which my include sensitive data as for example in my openHAB there's a cloud password included. So I would recommend to use root:users instead.

I'm not very confirm with PHP but the permissions should look like this:

exec("chown -R root:users " . escapeshellarg($abDestination));        // Set all permissions to root user and "unraid-user" group
exec("chmod u=rwx,g=rx,o= " . escapeshellarg($abDestination));        // Set folder permission to root (rwx) users (rx) anyone (*none*)
exec("chmod u=rw,g=r,o=   " . escapeshellarg($abDestination . "/*")); // set files permission to root (rw) users (r) anyone (*none*)

Running this seems to be fine (tested via ssh) as every created user should be in users group (id: 100). Also the user cannot modify any of the files. If somebody needs to modify the file it should download to the computer or should be modified via root shell (ssh).

And well you're right, we are all also be able to limit access/permission via share export.

Commifreak commented 7 months ago

This are backups which my include sensitive data

Everything inside Unraid is running with root privileges. Sorry, but a 777 on backups is the smallest issue there. However, I could adjust it again to have rwx,r-x,-, on the ab_ folder itself and rw-,r-,- on its contents to make it right.

Commifreak commented 7 months ago

Its now changed:

    /**
     * Adjusting backup destination permissions (for this run)
     */
    exec("chown -R nobody:users " . escapeshellarg($abDestination));
    exec("chmod -R u=rw,g=r,o=- " . escapeshellarg($abDestination));
    exec("chmod u=rwx,g=rx,o=- " . escapeshellarg($abDestination));

This changes owner to nobody:users`, sets initially everything to rw,r,- and afterwards makes the ab_folder accessible.

EuleMitKeule commented 7 months ago

Thank you for the fix! Maybe it would make sense to allow the user to set the wanted permissions that will be applied via the UI?

Commifreak commented 7 months ago

Yea. Would be nice. But if it fits… Advanced users could easily setup a postRun script that does it. Well see