I would like to propose adding a feature to the “Users and Groups” app that allows the creation of custom groups. Currently, some apps like the Sharing app let you select which groups have access to shares, but only from predefined system groups. Adding the ability to create and manage custom groups within the “Users and Groups” section would enhance the flexibility and granularity of server administration.
For example, imagine hosting accounts for family and friends on a FreedomBox. With custom groups, I could create a group specifically for family members. Then, shares could be restricted to this family group only, without relying on default system groups. This would simplify managing access and tailor it to unique social or organizational needs.
This feature would empower admins to set up more personalized and secure access controls directly through the web interface, improving usability and collaboration on the server.
I’ve been thinking about this too. I think that we may need ACL. Something like create a group with ACL allowing a user to upload photos from a mobile device with syncthing and then move them to zoph upload folder by a script.
ACL could allow the user account to do such a thing where groups would not work.
The piece I am on is one-way sync to copy pictures to freedom box and remove the original from the mobile device. But getting these into zoph not as root is a next planned step. ACL solves this, but I am not expert in ACL yet.
That’s a very interesting use case. I’ve read your guides on Zoph, and I’m currently setting up a second FreedomBox for testing. I plan to try Zoph using your instructions.
I’m not very familiar with Access Control Lists (ACLs), so I’m not sure if they fully address my use case. I’ve encountered some friction with the Sharing app when I create shares for users on my server but want to restrict access so they cannot see shares meant only for my family.
My suggestion to add custom groups in the “Users and Groups” app was because it seemed like a simpler approach to implement. I also wanted to gauge whether other users might find this helpful for managing access in similar situations.
Either way, it’s great to brainstorm and exchange ideas about possible solutions.
Another use case: a centralized folder for the freedombox-share group, but where no one can modify what others have shared. This would be an intermediate situation between “everything for everyone” and “only for one”. I did not add ACLs, but rather the sticky bit (restricts in favor of the user) and the setgid bit (enables in favor of the group).
I’m testing it out. It’s not yet as automatic as I want it to be, and I need to review the security.
I’m curious if you’ve thought about how this setup might be integrated or managed through FreedomBox’s web UI in the future. Having this kind of permission control more accessible via the web interface would be a great addition for admins who prefer not to manage permissions via command line.