Hi everyone,
I am struggling with an issue for quite some time. The ultimate goal is accessing my datasets remotely over Nextcloud as well as locally over SMB.
My system:
- TrueNAS based on FreeBSD 12.2
- Nextcloud running in a Caddy server (I’d be open to Nginx server, these two options can be deployed with very low effort)
- User datasets mounted over fstab entries in FreeBSD jail running Nextcloud
- Small home NAS with a hand full of users, all part of group “home”
My issue:
- Integrating datasets from /mnt/… with external storage work fine.
- I managed to change the primary group of www to my home group. So the owner of newly created data is www:home, which is already a big step to my goal.
- But, the new files and folders have 644 permissions, 755 respectively for folders.
- Meaning that data uploaded to or created in Nextcloud has read-only permissions when accessed over SMB by user1:home.
- A nightly cronjob resets all permissions to 770, sometimes I do it manually if I need to edit data asap, which is quite often.
The main reason I really want direct SMB shares on my datasets are the powerful zfs snapshots in FreeBSD. With a direct SMB share I can expose all snapshots to the user, allowing for getting back deleted or modified data up to one year back. I am pretty sure, that all of this would be lost over webdav, when even in Nextcloud it is not fully accessible (only file changes, no directory versions).
What I have tried so far:
- Add umask 007 to php-fpm deamon:
[...]
: ${php_fpm_umask="007"}
[…]
php_fpm_prestart()
{
php_fpm_checkconfig
checkconfig=$?
if [ $checkconfig -ne 0 ]; then
return $checkconfig
fi
if [ ! -z "$php_fpm_umask" ]; then
echo "Setting umask to: ${php_fpm_umask}"
umask $php_fpm_umask
fi
}
Restarting php-fpm outputs following text:
test is successful
Setting umask to: 007
Starting php_fpm.
- Create home directory for www user, adding umask 007 to .profile, .cshrc, .bashrc, .bash_profile, etc.
- Create login for www user and have www logged in while testing Nextcloud.
- ACL with inheritance, seems like they were overridden by the Nextcloud permissions.
- Directly mounting the user files folder from the host system, without the step over external storage. But, as I found out, file changes outside of Nextcloud are not registered. Probably the reason why the external storage app exists in the first place.
- Maybe some other stuff too.
All of these tries did not change the permissions on new data. 644/755, no matter what.
My questions now:
- Of course my main question: how can I set umask for other webservers than Apache Link1 Link2 Link3
- Or one step back: why is it even necessary to jump through these hoops? Nextcloud allows for authentication via SMB (and others), why does it not handle the data with the real ownership of the authenticated user? How do enterprise customer handle this? Big companies with tight IT policies regarding groups and permissions of their data, I can’t imagine that they just give up on this and allow setting everything to www:www with 777.
- Why aren’t snapshots not integrated more seamlessly? They are awesome! I can’t imagine being the only one missing this feature? There is a almost four year old feature request on Github for folder versions and one from last year for external storage support. This would make it easier for me to accept to pass on an SMB share.
I am interested to hear any pointers how to solve it or how you guys handle this.
Thanks in advance