TrueNAS Scale Dragonfish and "builtin_users": Default Dataset Permissions Question

I think this is one of those things where I’m expected to customize access to my datasets to suit my needs, but before I go mucking around with the default permissions, I wanted to get a sanity check. :slight_smile:

I’ve noticed that when I create new users, they get assigned to the builtin_users group as an auxiliary group. My feelings about that group being poorly named aside (none of the actual users built into the system are members), I suppose if I think of bultin_users as all that I have manually created, that makes sense.

But, when I create a dataset, builtin_users has modify rights. This seems too permissive, as by default it gives every user I create access to every dataset I create, with the power to wipe out any data that doesn’t require admin or root access.

Is there a reason needs to be like this? Or is TrueNAS, by default, just making it extremely easy for any user to get access to any dataset?

  1. If it’s the former, I don’t understand something about how TrueNAS works; but
  2. If it’s the latter, I think I’m fine to drop builtin_users from my permissions, as I’ve been using my own groups to set up more granular access.

Thanks for tuning into another episode of I’m pretty sure I’m blundering again. :wink:

Tom has a good video on this topic. This might help you.

2 Likes

Thanks! This is a great tutorial (like all of Tom’s videos :wink: ), and I’ve watched it before, but the part about the builtin_users managed to pass through my ears without sticking in my brain. Sigh.

(I think it’s definitely helpful to follow along with the tutorial in TrueNAS to help it stick, or, as I’ve started doing, watching it once without doing anything, and then watching it again while following along.)

For the dataset settings, I also appreciate the reminder that you can change the ACL type and other options later; the official docs gave me the false impression I needed to get it right the first time, or else bad things would happen. Then again, I’m still getting used to the idea that data exists separately and safely isolated from complex permissions (after all, you can strip the ACLs and nothing terrible happens to your stuff).

[@3:21] “By default the users you create all are part of the builtin_users, so they’ll have permissions…”

This is the key thing I wanted to confirm. :slight_smile: If builtin_users/builtin_admins are just lists of users I have created (and also root and admin for the second group), then there’s no harm in pulling builtin_users from dataset ACLs where I don’t want them.

What got me so confused at first was that I was reading builtin_users as “users built into Linux or TrueNAS,” and assumed they included all the built-in users that help manage services like SMB. I made this assumption before I realized how easy it was to go look at the group member lists, and then kind of forgot to double-check after I discovered that feature. Oops. My fault for trying to learn too many things at once. :wink:

(I really do wish both the builtin_administrators and builtin_users groups didn’t use the word “builtin.” Maybe it’s just me, but that doesn’t seem intuitive at all: users that I create aren’t “built in.” I might suggest to iX they consider changing the names for future releases so it’s a little obvious to new users what’s going on.)