On TrueNAS, I’m given to understand you should just grant ACL modify permissions to the apps user for 99% of directories needed by Docker apps.
Wouldn’t it be more secure to make individual or batched users, e.g. make a servarr user to manage all my Servarr media folders and configs? That way, if Sonarr were infected by malware, it couldn’t mess up my Nextcloud configs, since they’d be owned and controlled by nextcloud?
Is this not generally done because it’s that bad of an inconvenience, or does the way Docker handles volumes mean only filesystems mounted in an infected container are at risk? Or did I just get the wrong idea, and I should be doing it the way I have in mind?
I believe there is already an Aps user that allows Aps access to directories with the Aps user permission applied so you shouldn’t need to apply Aps to each user but you can add users and add them to the directories which store Aps data.
Bare in mind that permissions can be inherited so if you set the Aps permission at the root of the tree it will trickle down to all sub folders.
I have set up my pool with a Configuration directory where I put all the config data for individual APs one per app.
So:
Pool->Configuration->Jellyfin->Config
…->Jellyfin->Media
Pool->Configuration->Pihole->Config
…->Pihole->DNSMasq
So the Configuration dataset has the Aps permission which trickles down and for example you can give users access of various types to where the Media folder is so they can add and possibly edit movies etc but even if they don’t have access Jellyfin will still let users watch video because it uses the Aps permission to do so.
Hope this helps… it works well on my systems.
