Freenas 11.3 does not allow editing of root dataset permissions/ACL/Owners
Description
Problem/Justification
Impact
SmartDraw Connector
Katalon Manual Tests (BETA)
Activity
Nick M April 21, 2020 at 5:49 AM
Thank you for the help , I really appreciate the thorough response You guys always provide so much support to the FreeNAS community. I can definitely appreciate the thought process behind this decision and I respect it. At this point, my only request is to add to the documentation an area that can show an example of the commands required to change root dataset permissions so that a Windows computer could then finalize the permissions. Just enough to make a local or AD user/group owner of the root of a dataset so someone could continue from another computer. Would something like that be possible?
Andrew Walker April 11, 2020 at 6:48 PM
Permissions can still be managed through command line utilities (chmod, chown, setfacl, and winacl). They can also be set over SMB using a Windows client. Perhaps you can explain the use case that requires frequent changing / resetting of permissions on the root level dataset.
Permissions management in 11.2 for datasets was extremely rudimentary. For "windows" datasets it literally just ran "winacl -a reset -r -p <path>", and was only ever really intended to provide a basis for modifying ACLs from a Windows client. In 11.2-U6 and later doing this on the root dataset would more often than not knock servers out of production due to changes in security for default ACLs set by winacl.
The decision to expose permissions at this level has led to enterprise users inadvertently removing access to their entire data pool on quite a few occasions. Home users also have accidentally used this same feature on numerous occasions to accidentally reset permissions across jails and plugins. So there are compelling reasons to place guards to prevent users from doing this.
Aaron April 11, 2020 at 6:12 PM(edited)
IX, please think about adding an advanced option. I'm currently kinda screwed because I can't change the root permissions and I have a bunch of folders under root and not a dataset. Yes, this isn't suggested, but it's your doing that this was a problem from the beginning. Removing this option is insane.
Nick M April 8, 2020 at 11:02 PM
I'm assuming setting permissions on the root dataset isnt the recommended method for permission control anymore. Would it be possible to add an advanced option that could allow us to edit root dataset permissions like before? Even if it was an advanced option with a warning, that would be extremely helpful for all of us who have used the root dataset for years.
In Freenas 11.2 and all previous versions we could edit permissions for the root dataset of a pool. Many of us have been storing data on Freenas in the root dataset and did not create child datasets from the root dataset (as there was no need to do this). Unfortunately, in 11.3 the ability to change root dataset permissions is greyed out and not allowed. This page from the ixsystems forums is a great example ( https://www.ixsystems.com/community/threads/11-3-acl-permissions-greyed-out-for-smb-and-pool.81911/ )
Many of us have been storing data on the root dataset for years and it's a massive headache to now be forced to move all our data to a child dataset just to be able to edit permissions. We need to be able to modify root dataset permissions/ACL/owners again.