I installed SABnzbd from the AUR and the Arch Wiki says I can start it with “sabnzbd.service”.
It worked, I managed to start it, but when I try to change download folders in the web menu, I can’t access my users folders like ~/Downloads. I can’t select my home directory.
It also tells me to “Add users to the sabnzbduser group to allow read/write access to SABnzbd files.”
I did that and I hoped it would work after that but I still can’t choose my home directory folders.
Am I right when I assume that running the program as global user I can’t access my users folders because of missing rights and the entry above just gives my user the rights to access the download folders in /var/…
The Wiki also states that I could start the service as a user by starting as sabnzbd@myuser .service but I found some forum posts that say that this is not a good idea because the app can access all my data if I do that?
As a former Mac and Windows user I can’t wrap my head around this stuff. Could someone help me?
Is there a better way to do that besides those two options? Running as a global user it downloads everything deep into sub folders…
It was late and I was trying to figure stuff out. I will look at my browser history at home.
It is just a regular EndeavourOS installation. I didn’t change anything, didn’t do any stuff after the install. It is pretty fresh and I didn’t mess around with rights other than the command above. I didn’t run into any problems with any other app I installed.
I have to admit I don’t even know what a firejail is.
I just installed EndeavourOS, nividia drivers, Steam, Kitty, and stuff from the official repository. Sab is the first app I installed with the AUR. Nothing strange happened till now.
This is a choice you have to make. If you want the application to be able to access your ~/Downloads and your other user data then run the service as described above. But, of course, this will give it access to your data.
If you don’t want it to have access to your data, then you can’t expect to be able to access your ~/Downloads.
An alternative approach would be to save those files into the directory that the sabnzbd program is reading instead of saving them to downloads.
I see. So I did everything right and the difference in Linux is that a “for all users installation” has no access to a users data?
Is it possible to add a completely new user, lets call him Bob, and give my current user Andy access to Bobs personal folders but not the other way round?
Yes, the issue isn’t access to the software. All users can run the software. You are choosing to run the software as separate user already. That provides maximum security but doesn’t let the process access your data.
If you run the process as your user, it will have access to your user’s data.
Yes. However, I don’t think you need to do that in this particular case.
Correct. I was used to choose any kind of folder I liked in Windows. We all know that Windows has a lot of security issues. So my problem was that I expected the same in Linux by running the process as global user and the app not having access to safe its downloads in my personal stuff folders under /home/andy/Downloads.
One last question, if I may ask?
I decided to keep the global solution… The thing is: I can copy the downloaded files out of /var/lib/sabnzbd but I can’t delete files there or copy files to that folder without sudo.
I did:
ls -ld /var/lib/sabnzbd/downloads
and
ls -l /var/lib/sabnzbd/downloads
to check group and file permission and got this output:
➜ ~ groups andy
sys wheel rfkill autologin sabnzbd andy
➜ ~ ls -ld /var/lib/sabnzbd
drwxr-xr-x 5 sabnzbd sabnzbd 4096 8. Mai 18:04 /var/lib/sabnzbd
➜ ~ ls -l /var/lib/sabnzbd
insgesamt 28
drwxr-xr-x 2 sabnzbd sabnzbd 4096 8. Mai 20:04 admin
drwxr-xr-x 4 sabnzbd sabnzbd 4096 8. Mai 18:04 Downloads
drwxr-xr-x 2 sabnzbd sabnzbd 4096 8. Mai 18:04 logs
-rw------- 1 sabnzbd sabnzbd 7024 8. Mai 18:26 sabnzbd.ini
-rw------- 1 sabnzbd sabnzbd 7024 8. Mai 18:26 sabnzbd.ini.bak
If I want Andy to be able to use these folders and its subfolders without limitations I can do: