@chickenzown
Yes, I’m doing it too. But do take note that WDMyCloud is underpowered, if you have a power user using too much heavy CGIs it will slow down everyone.
There’s two way, one is chroot but this requires lots of changes and you’ll need to mount the user’s home path accordingly in the chroot environment. I shall not elaborate this as you’ll of course need to setup chroot prior.
The other is to sync with the existing layout:-
You’ll need to declare each user’s home dir, eg. in the /etc/passwd (avoid editing directly using vi/nano, see next):
username:x:999:1000:Full Name,,,:/home/Username:/bin/bash
I believe the default home path is /shares. Mine’s changed to /home is a symlink to /shares but you can change them as /shares/Username too. Note the home path is case sensitive.
To add or edit use (don’t use -m switch (move existing path to new) for below):
usermod -d /shares/Username username;
Or (vi basics: [INSERT] to edit, [ESC]+[:]+[wq] to write & quit):
vipw;
For access, depending what kind you wanna give, ie. SFTP, forward port 22 on your router to WDMyCloud, edit /etc/ssh/sshd_config then reload “service ssh reload”:
# Authentication:
LoginGraceTime 120
PermitRootLogin yes# To avoid internet attacks, I advise to set above to "PermitRootLogin without-password" then setup RSA/DSA passwordless logins for root.
StrictModes no
#AllowUsers root
Next is to create and activate the new nginx for each user. Similar to my OwnCloud guide:
nano /etc/nginx/sites-available/Username;# Copy from my OwnCloud guide.# Main point is to change "root" to the user's www or html path, below assuming there's a www sub-dir to place all the cgi/htmls eg.:# root /shares/Username/www
# Get the user a dynamic DNS, set it to "server_name".
cd /etc/nginx/sites-enabled;
ln -s ../sites-available/Username Username;
service nginx reload;
With the above pointers, users can now SSH or FTP into the WDMyCloud, place CGI/HTML files like /shares/Username/www/index.html and access them via http://username.freedns.com/. If you have a personal domain which supports wildcard, this is even better. With this you can just setup one nginx dynamic config, set the “server_name” as “_” default to catch all request, then do an internal rewrite based on the hostname request to the user’s www path. There’s several ways to achieve this depending on how you want it. You can separate each users config or all-in-one config as described above for wildcard domains. You can also have several “server_name” directive in one config for each user.
Note that when some user runs a CGI, any created files will be owned by “www-data” since php-fpm/perl-fcgi is running as “www-data” group which could cause those users not able to access their own created files as users belong to “share” group. You can create different set of php-fpm/perl-fcgi pools running as the user/group but this will consume lots of memory which is bad for our NAS. My workaround is to set the umask as 0006 for the CGIs and set a sticky “www-data” gid for the www sub-dir. This ensure files created by CGIs like php-fpm or perl-fcgi will always be accessible to the user.
Umask 0006 (default is 0022):-
File=rw-rw---- (660)
Dir=rwxrwx–x (770)
Add the umask where php-fpm starts:
nano /etc/init/php5-fpm.conf;...# Add umask before daemon startsumask 0006pre-start exec /usr/lib/php5/php5-fpm-checkconf...
Add the umask where perl-fcgi starts:
nano /etc/init.d/perl-fcgi;
...
# Add umask before daemon startsumask 0006PATH=/sbin:/usr/sbin:/bin:/usr/bin...
Then for each user’s “www” sub-dir, make sure it’s a “www-data” group and set it to sticky gid:
chown -R :share /shares/Username/www;chmod g+s /shares/Username/www;
Then for each user, add them to the “www-data” group:
useradd -G www-data username;
To prevent users accessing the Public shares, there’s a known hack how to do this. Not sure if it still works for newer firmwares, look for it. My way is to edit them manually:
sqlite3 /usr/local/nas/orion/orion.db;update UserShares set public_access='false' where share_name='Public';.quit
Then login to the WDMyCloud Dashboard and set the permissions manually for those who can access the Public shares.