[gentoo-user] Mediatomb media server - users & permissions for /media/videoX

[gentoo-user] Mediatomb media server - users & permissions for /media/videoX

[Stroller]

Hi there,

I'm in the process of ripping my DVD collection to mp4 and have just  
installed net-misc/mediatomb. I am EXTREMELY impressed with this  
service, which has very quickly demonstrated a marvellous ability to  
stream video to my PS3.

On my server I have two largish hard-drives which are used for  
miscellaneous storage - backups, drivers & service packs for my work,  
customer backups and all these video files which will soon be rapidly  
increasing in quantity.

Because of the miscellaneous nature of this data, I have mounted these  
two disks at /mnt/space and /mnt/morespace Following a discussion a  
while back I will probably move them to /media/video[123] or /media/ 
spaceX when I get around to reorganising.

Permissions on these volumes are such that any user on the system (me,  
hypothetically trusted friends or family in the future) should have  
full access to all the miscellaneous junk on them. I need to play back  
videos and delete the old versions when I decide a film needs to be  
ripped in higher quality.

I'm a little unclear as to how these permissions have been applied -  
shouldn't it be based either on the permissions of the mount-point  
directory, or added as an "-o users,umask=000" in /etc/fstab ?

   $ grep space /etc/fstab
   LABEL=space			/mnt/space	xfs			noatime 	0 3
   LABEL=MoreSpace		/mnt/morespace	xfs		noatime 	0 3
   $ sudo umount /mnt/morespace/
   $ ls -lh /mnt/
   total 0
   drwxrwx--- 2 root cdrom  72 May 28  2007 dvdrom
   drwxrwx--- 2 root users  48 Sep 21 23:24 foo
   drwxrwxrwx 2 root root   48 May 19  2007 morespace
   drwxrwx--- 8 root users 116 Sep 11 11:53 space
   $ sudo mount -a
   $ ls -lh /mnt/
   total 4.0K
   drwxrwx--- 2 root cdrom   72 May 28  2007 dvdrom
   drwxrwx--- 2 root users   48 Sep 21 23:24 foo
   drwxrwx--- 5 root users 4.0K Sep 15 20:46 morespace
   drwxrwx--- 8 root users  116 Sep 11 11:53 space
   $


Anyway, the problem that I encountered was that Mediatomb was unable  
to read these drives because Gentoo init.d script (very sensibly, IMO)  
runs the server as its own user, which clearly did not have permission  
to read these disks. I like this idea, because I tend to trust the  
users on my system (this may be foolish!) yet fear a hijacked daemon  
maliciously deleting my collection of Carry On films.

You can see here how I've worked around the problem for the moment:

$ grep -ie user -ie group /etc/conf.d/mediatomb
# Run MediaTomb as this user.
MEDIATOMB_USER="mediatomb"
# Run MediaTomb as this group.
#MEDIATOMB_GROUP="mediatomb"
MEDIATOMB_GROUP="users"
$

However I'm posting to solicit suggestions on the best permissions  
practices for this purpose. mediatomb shouldn't need write access to  
these files or folders at all - there's no option on the UPnP client,  
for instance, to delete files from the server. Should I make the  
drives owned by "users" and in the "mediatomb" group, with read-only  
access for the latter? Any other suggestions?

Stroller.

Re: [gentoo-user] Mediatomb media server - users & permissions for /media/videoX

[Willie Wong]

On Tue, Sep 30, 2008 at 03:05:58AM +0100, Penguin Lover Stroller squawked:
> I'm a little unclear as to how these permissions have been applied - 
> shouldn't it be based either on the permissions of the mount-point 
> directory, or added as an "-o users,umask=000" in /etc/fstab ?

umask only applies to file systems with no intrinsic permission
settings, e.g. VFAT. The permissions for file systems with permission
bits are set in the file system itself. Which is why before and after
mounting the mount point may have different permission listings. 

In otherwords, chmod/chown/chgrp applied to the mount point with
nothing mounted will change the mount point's listing when nothing is
mounted, and chmod/chown/chgrp applied to the mount point after
mounting will change the permissions of the actual file system. 

>
> However I'm posting to solicit suggestions on the best permissions 
> practices for this purpose. mediatomb shouldn't need write access to these 
> files or folders at all - there's no option on the UPnP client, for 
> instance, to delete files from the server. Should I make the drives owned 
> by "users" and in the "mediatomb" group, with read-only access for the 
> latter? Any other suggestions?
>
What's so secret in your media folders that you can't just give read
access to mediatomb? Why don't you have it like you have now with
regards tot he owner and group and just give read permission to other? 

owner root
group users
umask 002  (i.e. you will have rwxrwxr-x or rw-rw-r-- ?)

To do any fancier (say, files owned by root, read-write access for all
users and read access only for mediatomb and no access for everyone
else) you will probably need a real ACL with which I can offer no
suggestions.

W
-- 
When coal was first discovered, there was a large black market.
Sortir en Pantoufles: up 662 days, 12:48

Re: [gentoo-user] Mediatomb media server - users & permissions for /media/videoX

[Stroller]

Hi Willie,

Many thanks for your informative reply.


On 30 Sep 2008, at 15:18, Willie Wong wrote:

> On Tue, Sep 30, 2008 at 03:05:58AM +0100, Penguin Lover Stroller  
> squawked:
>> I'm a little unclear as to how these permissions have been applied -
>> shouldn't it be based either on the permissions of the mount-point
>> directory, or added as an "-o users,umask=000" in /etc/fstab ?
>
> umask only applies to file systems with no intrinsic permission
> settings, e.g. VFAT. The permissions for file systems with permission
> bits are set in the file system itself ... chmod/chown/chgrp applied  
> to the mount point after
> mounting will change the permissions of the actual file system.

Of course! It would not have occurred to me to ask this question were  
I mounting a drive at a normal place in the Unix directory tree (by  
which I mean /bin, /boot, /etc, /home, /lib, /sbin, /usr, /var and  
directories below them).

>> However I'm posting to solicit suggestions on the best permissions
>> practices for this purpose. mediatomb shouldn't need write access  
>> to these
>> files or folders at all - there's no option on the UPnP client, for
>> instance, to delete files from the server. Should I make the drives  
>> owned
>> by "users" and in the "mediatomb" group, with read-only access for  
>> the
>> latter? Any other suggestions?
>>
> What's so secret in your media folders that you can't just give read
> access to mediatomb? Why don't you have it like you have now with
> regards tot he owner and group and just give read permission to other?
>
> owner root
> group users
> umask 002  (i.e. you will have rwxrwxr-x or rw-rw-r-- ?)

Of course! That's perfect. And I can easily keep customer data and  
other stuff on the drive at umask 007.

> To do any fancier (say, files owned by root, read-write access for all
> users and read access only for mediatomb and no access for everyone
> else) you will probably need a real ACL with which I can offer no
> suggestions.

No, that's not necessary at all. I must've been having a brain-fart  
even to have asked.

Stroller.