This information is done following a question from MikeG.6.5 ...
... about access to hx-engine from external, from Asustor side, user ID shared or not, access to entire structure of the Asustor NAS
Lot of questions (but fundamental) ... so hereafter a short explain (short because lot of options exists and can't be explain here (it's not a course ) )
A) File System structure and sharing folder between Asustor side and hx-engine side :
=== ALL is based on the understand of what is a chroot
A Linux box (like Asustor NAS) have a UNIQUE file structure based on a root folder : /
... ALL sub-folder can be :
... ... direct real file system on the same disk
... ... "mounted file system"
... ... ... a mounted file system is an internal or external disk, an internal or external partition, a network ressource (NFS, SSHFS, CIFS (Windows share), etc. ), etc.
... ... ... each of them are "mounted" (attached to a folder in the original linux file system : / )
... ... ... SO for ex. in Asustor ... the Raid md0 (2GB) is mounted on (so accessible via) /volume0 , le Raid md1 (largest part of disk) is mounted on /volume1
... ... ... specific mount exist it's for example to create a second access for the same existing folder
... ... ... SO for ex. in Asustor ... the folder /volume1/Public is also mounted on /share/Public
THE BIG advantage of "mount" compare to other method like link, etc. is that Linux consider the data as local (so manage access right, etc. as local ) as if they are on the "real" disk ...
OK ... now we can continue with hx-engine
hx-engine is a chroot ... a sort of jail and as is name (chroot) said is to "CHANGE THE ROOT FOLDER"
... so when you enter in hx-engine ... the "/" you see IS NOT the "/" of the linux box ... it's a NEW ONE with a similar structure (/bin, /etc, /usr etc.)
... in the chroot (if you don't use specific tools)
... ... YOU DON'T have access to the real / and subfolder (ex. hx-engine new / is /usr/local/AppCentral/hx-engine/my_asustor ) and see ONLY what is visible in your NEW ROOT FOLDER
BUT chroot shared (by construction) some parts with the host (system where it run here the Asustor NAS)
... it share the kernel and kernel modules ... so if you want to use new modules in a chroot (hx-engine) you MUST create it and load it in the host (Asustor NAS)
... it share the network ... so have the SAME I.P. address and CAN'T USE tcp or udp port ALREADY in use in the host (Asustor NAS)
BUT chroot DON'T share ... users (except root and some identical system user) ... services (dbus, udev, etc.) ... servers running in the NAS (but after entering the service some access can exist from NAS to chroot) like ssh-server, web server, etc.
Question (from Mike) :
Can I access to ALL data of the NAS ?
Response :
YES and NO (good response is not it ?)
from host (Asustor NAS) you can open visibility to a folder in the NAS to the chroot, it's done by "mounting" an existing folder in the NAS to an existing folder in the chroot (it's a bind)
so for ex. I can mount /share/Public to a folder in the chroot ex. /usr/local/AppCentral/hx-engine/my_asustor/share/Public (YOU CAN SEE that it's a view from NAS linux point of view)
the target folder MUST exist
hx-engine have an auto-mount mechanism based on ONLY FOLDER available in /share (NAS) ... it's a list of folder can be add, edit, remove from hx_manage tools
hx-engine also provide another shell (other_mount.sh) to add OTHERS folders (not from /share ... )
BUT REMEMBER to don't create loop ... for ex. if you mount in the chroot : /volume1 to have ALL the disk) ... you create a loop because hx-engine is already in the /volume1 ... so error can appear ...
Question :
Is using /share in the chroot is mandatory ?
Response :
ABSOLUTELY NOT ... I use /share in chroot to mount /share in NAS folder to keep the same visibility for the user ...
Question (from Mike) :
... THIS question is about user management ... and by nature ... access right to the file ...So, saying that, let me give some parameters with bogus passwards and such, and if you don't mind, Philippe, would you give the command line and tell me whether it is run in the terminal in HDMI or run in a WinSCP terminal window.
Example: UserID: admin Password : testing_access <--- exists in the ADM Access Control
USerID: Stupid_idiot Password: TooDumbToFigureitout <--- Does NOT exist in ADM Access Control
In Terminal (winSCP) I type what?
In HDMI hx_engine I type what?
Response :
YOU MUST understand that user in Asustor side ARE TOTALLY managed in another way then users in chroot hx-engine
each side have a private /etc/passwd (list of users) /etc/group (group available) /etc/shadow (encrypted password)
THE ONLY (at start) commons users between NAS and hx-engine (chroot) are root (real) and all the system user (if they use the default UID)
YOU MUST remember that user don't really exist ... it's just a name ASSOCIATED to a U.I.D. (User ID) ... idem for group
... so for ex. admin user in NAS side (UID 99) don't exist in chroot even it use an UID < 100 so normally reserved for system users ... same for ALL users (not system) existing in NAS DON'T exist in chroot
WHEN you are connected in the NAS ... as a console ... you can switch INSIDE the chroot ONLY only as root (or from root to user)
WHEN you use a service (ex. ssh) in the NAS ... you can ONLY used users define IN the NAS
IF you use another service started IN THE CHROOT (like another ssh server with a different TCP Port) ... you can use ONLY users define in the chroot
exemples :
you are connected as root in the NAS ; then you use hdechrt or hx_manage enter ... you switch to chroot as root user
you are connected as admin in the NAS ; then try using hdechrt ... you fall in error ... admin is NOT AUTHORIZED as ANY USERS to use chroot
you are connected as root in the NAS ; then use chroot (Entware version) with other_user:group (target other_user define IN the chroot) ... you switch to chroot as other_user
you are connected (another server) in the chroot ... you can use ANY user (chroot) BUT don't have any view of NAS part (except mounted point ... as explain before ... )
Solution :
from NAS to chroot (hx-engine)
... use root to NAS login ; then hdechrt to switch to chroot ... then su - user to switch to a specific chroot's user
... use root to NAS login ; then use chroot from Entware with user:group ... to switch to a specific chroot's user
Directly in the chroot
... start a service (ssh server) and connect to it using Winscp, putty, etc.) using the different port ... then use ANY chroot (hx-engine) user
To start a shell (pre-define) in chroot from NAS
1) use
chroot command args
or
hdcechrt command args
UNDERSTAND that chroot DON'T ADD ALL ENVIRONMENT ... so best is that command = script with a shebang and setting environment needed.
... also script can swicth (using su) to any user to start a specific service under a user
or
/opt/bin/chroot --userspec=USER_in_chroto:GROUP_in_chroot command args ... so command is executed under the user_in_chroot user inside the chroot
2) use
myserv ... inter exchange server between NAS to hx-engine (chroot) AND REVERSE ... (another post will be write )
Another way is to create clone of NAS user in the chroot ... so UID and Groups are same ... so access right are also the same
THE INTEREST is to get access to file and folder based on access rigth (real access is managed through UID and GID not on the name ... who is only a "facility" for usage ...
exemple ... create an admin clone in chroot (admin have UID = 99 (so < 100 ... so considered as a system user) ... for "normal" user just delete --system argument)
login as root in the NAS ... enter as root in chroot : (for info. id of admin is : uid=999(admin) gid=999(administrators) groups=100(users),999(administrators) )
hdechrt
THEN create group administrators
addgroup --system --gid 999 administrators
THEN add the user admin
adduser --system --home /home/admin --shell /bin/bash --uid 99 --gecos "Admin clone" --ingroup administrators admin
THEN add admin user to "users" group (as in NAS)
adduser admin users
THEN add a password (same or different)
passwd admin
... NOW the user admin now exist with same UID/GID than in NAS so same access rigth ...
verify :
exit the chroot
exit
switch to admin user (from root NAS user) in the chroot (hx-engine)
Code: Select all
# /opt/bin/chroot --userspec=admin:administrators /usr/local/AppCentral/hx-engine/my_asustor /bin/bash
admin@AS5002TaPhil:/$ id
uid=99(admin) gid=999(administrators) groups=999(administrators),100(users)
admin@AS5002TaPhil:/$
hx-engine pre-define users use UID 65000 and more ... so can't conflict with your own ...
3) use HDMI screen
HDMI screen is INSIDE THE CHROOT ... so can see ONLY
... shared resource mounted from NAS in the chroot
... switch to user define in chroot
... use myserv exchange server to start some shell script in NAS side
... THE USER (default) astuser) CAN BE CHANGED to use an existing user if you want ...
... ... 1 as here before CREATE the user in chroot with SAME caracteristic (if needed) as define in NAS part
... ... 2 stop desktop using hx_manage (or disable hx-engine)
... ... 3 change user use for desktop HDMI screen using hx_manage
... ... 4 restart desktop (so all is created as a new desktop ... so you can have to put settings as you want) when it propose use default desktop (more easy compare to empty desktop)
Philippe.
NB feel free to comment, add remarks ... or said .. it's NOT understandable ... this part ... so rewrite ...