I’ve just realized that in older CORE tutorials I watched, the tutorial creators often changed the owner of a newly created dataset away from root/wheel to another real user on the system plus whatever groups were needed to control the ACLs (but not wheel, of course).
I internalized that, and even in SCALE I’ve been assigning my non-root Full Admin account as the owner of datasets I create, with whatever groups I need added to control permissions via ACL.
Putting aside for the moment that there’s an exception to every rule, is there a good reason to actually change the owner of a newly-created general purpose dataset away from root, so long as the group-based permissions are set correctly? Just allowing root to own everything would make actually managing my datasets a lot more straightforward.
If it’s fine to allow root to own things, I suspect the older tutorials were written as they were because of BSD-specific concerns.
In my opinion, no. Many tutorials I’ve seen are created by people who actually know very little about how permissions work. There is absolutely nothing wrong with having root own the that particular path.
Once files have been written by various users and clients in a multi-user environment, it’s generally not a good idea to recursively chown. The ownership of files can act as a fingerprint for determining who created them (it’s useful for admins).
Luckily, I don’t have many datasets, and I’m the only human user of my system. (Right now, the only accounts are the default admin account, me, and an account for Proxmox to access shares over NFS.)
The only files I need to mess with the ownership on already belong to me, so I should be able to fix this without too much trouble.
That’s why I wanted to make sure I had it right now, before things started getting more complicated.
I’ve standardized the ACLs on my datasets that don’t have special requirements as follows.
root owns them (Full Access);
Users who need read/write access are included in groups that have Modify access.
The builtin group builtin_administrators has Full Access. Right now, the only admins in that group are me, and the built in admin accounts that were set up when the system was installed.
I’m pretty sure I don’t need the permission for builtin_administrators, but I wanted it in case something happened (somehow) to my personal admin account.
I’m not saying this is the One Best Way to Do It®, but I think it will work for most of my general purpose datasets.
For anyone else who is just starting out and finds this later, remember that special purpose datasets will need different permissions.
For example, the dataset where my home directories live for my TrueNAS login accounts with home directories doesn’t use ACLs at all, and uses regular unix permissions. (I didn’t come up with this; I stole it from someone else’s working config.)
My non-root user johntdavis has a home directory in that dataset that I can write data into, so there’s some behind-the-scenes stuff going on with TrueNAS to make that work when you designate a user’s home directory as living in that dataset.
Even though I, as “Other” only have read/execute permissions, I still own my home folder and everything in it.
