How to add a LDAP user to a system group (or vice-versa)

djizeus · January 4, 2023, 9:43pm

My YunoHost server

Hardware: VPS bought online
YunoHost version: 11.0.10.2
I have access to my server : Through SSH | through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : I want to

Description of my issue

I have installed Jellyfin on my instance, and would like to set it up in a way that:

I can copy my media files to the server using scp (also fine with sftp, I suppose it does not change my problem) to some directory, therefore I need write permissions to it
Jellyfin can download metadata and image files to the same directory, therefore need also write permissions

To do so, I thought I’d add both my user and the jellyfin user to a common group and give write permissions to that group for the media folder. The problem I have is that my user is a “regular” LDAP yunohost user while jellyfin is a system user, and I couldn’t find how to add my user to a system group (e.g. jellyfin or multimedia), or add the jellyfin user to a LDAP group (e.g. jellyfin.admin).

I usually use adduser or usermod to edit group members, but these commands don’t seem to be available on yunohost. Of course the webadmin only sees LDAP users and groups.

Is my solution at all possible, or how would you solve this?

Thanks!

Aleks · January 4, 2023, 10:39pm

Yes they are, but there’s a common “issue” (not related to yunohost specifically) that /usr/sbin (or similar path) may not be available in the $PATH variable by default.

So maybe run sudo su to become root (though not 100% sure that prevent the path issue)

I’m not sure adduser/usermod works on LDAP entities though

tituspijean · January 5, 2023, 7:26am

Jellyfin on YunoHost is already set to belong to the multimedia group and to access multimedia directories in /home/yunohost.multimedia/share or /home/yunohost.multimedia/$user with read and write rights. You can scp directly into these directories.

If you want to use another directory, I would advise you to set ACLs to give rights to the multimedia group:

MEDIA_GROUP=multimedia
source_dir=/your/directory/here
setfacl -RnL -m g:$MEDIA_GROUP:rwX,g::rwX,o:r-X "$source_dir"
setfacl -RnL -m d:g:$MEDIA_GROUP:rwX,g::rwX,o:r-X "$source_dir"
setfacl -RL -m m::rwx "$source_dir"

(adapted from there)

djizeus · January 5, 2023, 8:13am

Oh OK! I thought about a PATH issue, but didn’t check
And you’re right, interestingly logging in as root with su doesn’t bring /usr/sbin to the PATH, but sudo su does. Maybe some convoluted way of forcing root to specify whole path of command for sensitive ones

Anyway, this was sorted out I was able to add my user to the multimedia group and it works just fine. Thanks!

djizeus · January 5, 2023, 8:17am

Then there must have been some problem when installing the multimedia folders or jellyfin. On my server, the folders belong to root:root, and I could not scp into it and jellyfin could not write to it either, until I set the group to multimedia and added myself to it. Is it better to “fix” the permissions with ACL?

tituspijean · January 5, 2023, 8:53am

The ACLs should be set (see the + after the usual rights):

# ls -la /home/yunohost.multimedia
total 24
drwxrwxr-x+ 6 root    root 4096 Oct  1 23:23 .
drwxr-xr-x  9 root    root 4096 Sep 17 00:01 ..
drwxrwxr-x+ 6 root    root 4096 Dec 18  2021 share
drwxrwxr-x+ 6 titus   root 4096 Oct  1 23:13 titus

# getfacl /home/yunohost.multimedia/titus
getfacl: Removing leading '/' from absolute path names
# file: home/yunohost.multimedia/titus
# owner: titus
# group: root
user::rwx
group::rwx
group:multimedia:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:multimedia:rwx
default:mask::rwx
default:other::r-x

system · February 4, 2023, 8:54am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.