File permissions issue on RPi 4 NAS

[thisisbommy]

I've gone from total beginner on this and I'm almost there, but I'm falling at the final hurdle! I have a Pi running the latest Raspbian and it exists to host a USB drive on my local network, and also download torrents to it. The USB drive is formatted to ext4 and shared via Samba.

Here's what I've achieved...
- The samba share is visible on my local network, with guest access
- My Pi can read files from the drive
- My Mac can read and write to the drive, including creating and deleting files and folders
- My media players in the house can see the drive, browse and play the contents
- Transmission can download torrents and successfully write them to the USB drive
- I can access the Transmission web interface on my local network

And here's what I've failed at...
- My Pi cannot write to or delete files on the drive (when I'm logged in to the Pi directly, I can browse and open files but not amend, delete or create them)
- Transmission cannot autodetect a torrent file in the watch folder and automatically start it (which I believe requires access permissions to the drive, so I think may be the same issue as the bullet above, manifesting in a different way)

Because I'm not so savvy with all of this, I've listed my setup steps below, starting from a fresh install.

- Setup Samba Sharing

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install samba samba-common-bin
Y to continue, Yes to accept
sudo blkid
Get the UUID and paste into string below
sudo nano -Bw /etc/fstab
Add the below to the end of the file and write out

UUID=[UUID string] /mnt/Media auto defaults,user,nofail 0 2

sudo nano /etc/samba/smb.conf
Add the below to the end of the file and write out

[Media]
comment = a_comment
path =/mnt/Media/
public = yes
only guest = yes
browseable = yes
read only = no
writeable = yes
create mask = 0644
directory mask = 0755
force create mask = 0644
force directory mask = 0755
force user = root
force group = root

- Install transmission (sudo apt-get install transmission-daemon)
- Give it some permissions (sudo usermod -a -G pi debian-transmission)
- Edit settings (sudo nano /etc/transmission-daemon/settings.json), set password, download directories, enable incomplete directory, whitelist 10.144.*.* to enable local network computers to see the web interface, and add watch directories (comma on end of all lines except last)

"watch-dir": “/mnt/Media/Downloads/torrent/“,
"watch-dir-enabled": true

- Restart transmission (sudo service transmission-daemon reload)
- Install NordVPN (direct download method)
- Whitelist ports 137, 138, 139, 445 (Samba) and 9091 (Web access) using (nordvpn whitelist add port xxxx)
- Set up autoconnect (nordvpn set autoconnect on United_Kingdom)

[hortimech]

First, a question, where did you get the 'Media' share lines from ?
There are default lines and lines that do not exist.

Because you have 'public = yes' and 'only guest = yes', only guest access will be allowed via Samba, but you also have 'force user = root' and 'force group = root'. This means that only the Samba guest user (usually 'nobody') can access the share, but the files and directories will belong to root:root.

So, when you try to access the files from the command line on the rpi (other methods on the rpi), you are denied acces because the user isn't 'root'. Try using 'sudo'

[ejolson]

First, a question, where did you get the 'Media' share lines from ?
There are default lines and lines that do not exist.

Because you have 'public = yes' and 'only guest = yes', only guest access will be allowed via Samba, but you also have 'force user = root' and 'force group = root'. This means that only the Samba guest user (usually 'nobody') can access the share, but the files and directories will belong to root:root.

So, when you try to access the files from the command line on the rpi (other methods on the rpi), you are denied acces because the user isn't 'root'. Try using 'sudo'

Could setting force user root on a public writable share be a security problem?

[thisisbommy]

Thanks for the replies both.

I got the share instructions from an online guide to setting up a samba share, although I don't have the URL anymore. I used this one, rather than another I found and tried previously, because it's the only one I've found that gives me completely successful read/write access to the share on my Mac.

Given the nature of the files (entertainment media, nothing personal) and that my wireless network is secure, I don't mind if anyone with network access has complete ability to access/edit/delete them (although I appreciate the warning).

@hortimech - I understand your reply right until the suggestion of using sudo. I appreciate that will probably let me edit/delete files using the command line, but that's something I'd never want to do. My only desire is to be able to achieve these two things...

- My Pi cannot write to or delete files on the drive (when I'm logged in to the Pi directly, I can browse and open files but not amend, delete or create them)
- Transmission cannot autodetect a torrent file in the watch folder and automatically start it (which I believe requires access permissions to the drive, so I think may be the same issue as the bullet above, manifesting in a different way)

Have you any suggestions as to how I might tweak my setup to enable those things, please? I'm afraid my understanding of users is pretty much non-existent, but as far as I can tell I need to be able to make the user I log into the system on as, and the user that transmission runs as, have read/write access.

[LTolledo]

try this setting:

Code: Select all

[Media]
comment = a_comment
path =/mnt/Media/
public = yes
browseable = yes
read only = no
create mask = 0777
directory mask = 0777

also check the ownership and permissions on /mnt/Media

Code: Select all

cd /mnt/Media
ls -la

[thisisbommy]

Thanks. I’ll try those settings tomorrow. For now here’s the result of the second suggestion.


free online image hosting

[LTolledo]

do you need RW access to the blue colored ones?
when logging in to your RPi, the default user is "dialout"?

[thisisbommy]

Yes, ideally I'd like RW access to all of those folders shown, and any subfolders of them.

I have no idea who dialout is - I've not created a user on the Pi, and every step I've been through from a fresh install (other than enabling VNC) is shown on the first post on this thread. All I can think is maybe I created the green ones using New Folder in Mac Finder, and the blue ones are ones I copied over as existing folders over the network (from my Mac).

I assume what I need to do is make all of these folders and their subfolders belong to "pi" (which will fix my RW issue from the GUI, and let transmission also read/write to it because it is running as Pi*), then either grant access to those shared folders to Guest, or force a logon when I access the Samba share. Does that sound right? However in the past this is where I've come unstuck, with transmission unable to write to the USB drive, or occasional logon errors from my Mac when trying to access the share.

*I believe that this command during setup made transmission always run as Pi. Am I right?

- Give it some permissions (sudo usermod -a -G pi debian-transmission)

[LTolledo]

first assert ownership

Code: Select all

sudo chown -R pi:pi /mnt/Media/

then set permissions

Code: Select all

sudo chmod -R 0775 /mnt/Media/

for additional info

Code: Select all

man chown
man chmod