[SOLVED]: Sync Library to NAS with seaf-CLI and then share to the network - permissions


#1

Hi

This is not really a Seafile issue but I hope for some support here in the Forum.
Maybe someone tried something similar already and ran into a similar issue.

The following scenario:

Seafile server 6.2.5 on an Ubuntu 16.04 RootServer --> cloud.example.com

Inside my home network: A Helios4 NAS system with ARM processor and Openmediavault (OMV) is running with Samba shares and seaf-cli installed.

On the Helios4 a headless seaf-cli is running under the user “seafile”.

The Seafile Server cloud.example.com shares Library1.

The seaf-cli on the Helios4 syncs Library1 to a Samba share folder “Samba1”.

Samba1 is shared as read/write to the users seafile, user1 and user2.

The sync of Library1 works flawless. All files of Library1 are synced to Samba1.
A ls -l in Samba1 shows the permissions to be:

ls -l
drwxr-sr-x 2 seafile users 4096 Apr 2 08:24 Folder1
-rw-r–r-- 1 seafile users 452334049 Mar 29 09:45 Movie1.MOV
-rw-r–r-- 1 seafile users 422486 Mar 29 10:42 Word.docx
-rw-r–r-- 1 seafile users 433303 Mar 14 17:46 Letter.pdf

If I access the files as user1 or user2 from a Mac inside the share Samba1 I can’t edit the files which were written by seaf-cli under user seafile, but can open/read them.

If I access the files as the user seafile from the same Mac inside the Samba1 then I can edit the files which were written by seaf-cli under user seafile. So can read/write.

It looks like user1 and user2 only have read permissions on the files that were written by user seafile through seaf-cli application.

BUT once I changed a file with the user seafile from the Mac inside Samba1 then I can edit the files also with user1 and user2 inside Samba1.

So it seems that the files written by user seafile thorugh the application seaf-cli makes them read only for user1 and user2 BUT files written by user seafile directly inside the share Samba1 gives them “read/write” permissions also for user1 and user2.

What can I do so that the application seaf-cli can write under the user seafile into the Samba1 and that user1 and user2 can actually have read/write permissions on them inside Samba1, as intended.

I hope this all makes sense.

In a nutshell:
Files written into a Samba share by seaf-cli are always read only for other users that access the share through Samba, although they should have read/write permissions on the files in the share.
What can be done to have the files read/write for all users, although written by seaf-cli application.

Greetings, Chris


#2

I’m not certain exactly what you are trying to do, but I did notice your permissions for those files in that folder are 644. And seafile is the owner. So, it makes sense that the user seafile can read and write the files since it has permission to do so. However, you have read only access to the group owner and any other user. Therin lies your problem.

You’ll have to change permissions on those files to allow user1 and user2 to write to them.


#3

Hi wthess and thanks for your answer.

I will look into what 644 means for permissions.

What I am trying to achieve:
I want to have a server that syncs all sorts of large libraries and that can be accessed from users via a samba share in the same network.
That share should then sync back the changes to the seafile server that users made in the samba share.

If I change the permissions now manually, then every time the seaf-cli syncs and writes/overwrites files, then those files will be owned by the user seafile again. That’s not really a solution therefore.

If the seaf-cli application would/could write in some way, that user1 and user2 could get permissions on read/write of the files, maybe that would be a solution.
I have no idea though if that could be possible.


#4

Hi wthess

Looked a bit into the permissions naming, which was new to me.
I understand the 644 now.

Basically I think I can summarize my question like this:
Is there a way to let the seaf-cli application create all files with 664 permissions.

So this way the users could read/write inside the Samba1 share.

I hope this makes sense now.

I already had a look and have found something about starting the seaf-cli with some “umask - flag”, but that’s still new to me (“Neuland” :wink: ).
So no idea yet if that’s correct.

Inspirations:


Greetings, Chris


#5

I’m not certain whether it’s possible to control the permissions from the CLI or not as I don’t use the CLI excepting for retrieval of files when I can’t access them via the web ui or a client. Maybe someone else could shed light on this and the usage of the umask option.


#6

Hi wthess

I was a bit busy, but now I had some time to do more research on this.
And I have found “a” solution that works.

I am not 100% sure what I am doing actually, but it works:

I changed the pam_umask module.

sudo nano /etc/pam.d/common-session

Add the line to the bottom of the file

session optional pam_umask.so umask=022

Then change umask for username (my username is “seafile”)

sudo chfn -o “umask=002” seafile

Now seaf-cli that runs under user “seafile” writes all files with 664 permissions.

I can access and change files in the samba share with user1 and user2.

If someone who reads this thinks that letting a user run with a umask of 002 is a bad idea, then please let me know :wink:

If not, I will mark this as “Solved” or “Closed”.

Greetings, Chris.


#7

Good thinking. It’s good to know that option is available. Go ahead and add [SOLVED] to the first part of the title, please. :slight_smile:


#8

Hi…Safe integration with seafile client, allowing user to configure remote sync of network shares from desktop client will probably require implementing username mapping between seafile and unix server, as passing uid/gid is insecure.
So for now, one have to use command line on samba server to sync libraries.