Is it bad to set ACL to @Everyone Full Control

Hi!

I am new to Truenas, and have been having constant trouble with app permissions. I have never heard anybody mentioning their data leaked or disrupted due to malware; and I am the only human user on this machine. Is it okay to set @Everyone Full Control for all the datasets?

Best,
Allen

This Is kinda counter intuitive.

Just because you have never heard of a data leak from TrueNAS does NOT mean that:

  1. It has never actually happened - most leaks are not known about by the data owner, and most data leaks that are discovered are not reported or publicised.

  2. Security settings are unimportant.

In the end, it will depend on what data you are holding, and the security of the network you are running it on.

  1. What are the consequences of your data leaking? If the data you are holding is already all public data (e.g. copies of wikipedia), then there is actually no privacy to lose if someone hacks in and takes a copy. But if the data holds personal information that you don’t want to be known to fraudsters (who can use it to e.g. make fraudulent transactions on your credit card or impersonate you using your SSN to empty your bank account), then the consequences of data loss can be much greater.

  2. What are the risks? If your TrueNAS server is on a wired-ethernet network that is NOT connected to the internet and in a physically secure location, the risks of data being exfiltrated are probably very small because someone will require physical access inside the building in order to plug into the network. If your network is internet connected (so someone can potentially hack through your router / firewall) or if you have wifi (so that someone sat outside can hack in), the risks are bigger. If (for any reason) you have opened ports from the internet to your TN server, the risks are much much much greater.

  3. Do you have intrusion detection? If someone does hack in, how will you know?

My own advice is that “an ounce of prevention is worth a ton of cure” i.e. for the sake of a bit of a learning curve to get the ACLs right, do set security to restrict access to the minimum you need. (There will still be enough risks remaining to keep you worried if someone gets hold of your user name / eail address and password (which you may not have changed for decades and which you might use to register on web sites).

It’s important to note that everyone@ maps to Other in convention UGO representation of permissions. Doing this is roughly equivalent to setting permissions to 777. Depending on the circumstances (if aclmode isn’t set to RESTRICTED for instance), chmod() by an application will basically undo it for a given file. For that matter if the umask of the application is such that files are created with 755 permissions then the newly-created file will have a mode that represents the umask rather than 777. This means you’ll probably end up spending considerable time trying to track down permissions issues or wondering why applications don’t have access and repeatedly running recursive permissions changes.

TL;DR, you’re creating a headache for yourself and should probably just set permissions properly. For example, it’s not that hard to just grant the GROUP builtin_users FULL_CONTROL or MODIFY, which makes it so that all user accounts created on the NAS can read, write, modify in the dataset.

1 Like

Good to know. Thank you all for your input and after setting all dataset to full control for everyone, the immich app still fails to start and gets stuck on deploying. I then made empty folders for everything for another immich instance, which also stuck forever on deploying. I will get a separate pc for apps.