Automating Linux permissions using inheritance (Helps DVR)

server-linux-tips

#1

Linux has a very powerful and convenient way of automatically setting the permissions of your media files as you add more to your media directories.

Linux allows only one username and one group to own a file which is somewhat of a restriction. This can be easily leveraged to accomplish what is needed for Plex.

An excellent application of this is when you wish to record with Plex DVR, allowing it to write directly into your library, while you retain full permission / control of your media.

To accomplish this, we use what is known as the ‘setgid’ (Set Group ID) bit (flag). While this can be used for either the owner or the group, the group inheritance will be shown here. Applying the ‘setgid bit’ flag should only be done on the filesystem containing the actual data. It cannot be reliably implemented over the network or through a VM layer.

Consider the following example:

[chuck@lizum /tmp.126]$ mkdir inherit
[chuck@lizum /tmp.127]$ mkdir 'inherit/movie (year)'
[chuck@lizum /tmp.128]$ touch 'inherit/movie (year)/movie (year).mkv'
[chuck@lizum /tmp.129]$ ls -la inherit
total 0
drwxr-xr-x.  3 chuck chuck  60 Jul  4 13:51 ./
drwxrwxrwt. 21 root  root  520 Jul  4 13:51 ../
drwxr-xr-x.  2 chuck chuck  60 Jul  4 13:52 movie (year)/
[chuck@lizum /tmp.130]$

Automate granting user plex access to anything written into your media library regardless of the original permissions

A. Grant permission outright at the topmost level for everything below it

[chuck@lizum /tmp.130]$ sudo chgrp -R plex inherit

B. Enable inheritance of the group name for all items created below

[chuck@lizum /tmp.131]$ sudo chmod g+s inherit

C. Propagate the inheritance bit (flag) to all existing sub directories (future directories will inherit automatically)

[chuck@lizum /tmp.132]$ sudo find ./inherit -type d -exec chmod g+s {} \;

D. Add another movie to the library

[chuck@lizum /tmp.133]$ mkdir 'inherit/movie2 (year2)'
[chuck@lizum /tmp.134]$ touch 'inherit/movie2 (year2)/movie2 (year2).mp4'

E. Observe the resultant permissions

[chuck@lizum /tmp.135]$ ls -laR inherit
inherit:
total 0
drwxr-sr-x.  4 chuck plex  80 Jul  4 14:00 ./
drwxrwxrwt. 21 root  root 520 Jul  4 13:57 ../
drwxr-sr-x.  2 chuck plex  60 Jul  4 14:01 movie2 (year2)/
drwxr-sr-x.  2 chuck plex  60 Jul  4 13:52 movie (year)/

inherit/movie2 (year2):
total 0
drwxr-sr-x. 2 chuck plex 60 Jul  4 14:01 ./
drwxr-sr-x. 4 chuck plex 80 Jul  4 14:00 ../
-rw-r--r--. 1 chuck plex  0 Jul  4 14:01 movie2 (year2).mp4

inherit/movie (year):
total 0
drwxr-sr-x. 2 chuck plex 60 Jul  4 13:52 ./
drwxr-sr-x. 4 chuck plex 80 Jul  4 14:00 ../
-rw-r--r--. 1 chuck plex  0 Jul  4 13:52 movie (year).mkv

Extend permissions and inheritance to include multiple usernames

In the above example, group plex was used. Any existing group name may be used. Any system usernames may be added to that group

A new group named ‘media’ can be created with multiple users in it (plex being one of those users).

Continuing with the media example above, instead of group plex, create and use new group media. Add users chuck and plex to this new group.
Once added, change the permissions of the directories and files to reflect their new group assignment.

A. Create group media and add chuck and plex to it

[chuck@lizum /tmp.136]$ sudo groupadd media
[chuck@lizum /tmp.137]$ sudo usermod -a -G media plex
[chuck@lizum /tmp.138]$ sudo usermod -a -G media chuck

B. Reassign all the files and directories to use this new group

[chuck@lizum /tmp.139]$ sudo chgrp -R media inherit

C. Verify the results

[chuck@lizum /tmp.140]$ ls -laR inherit
inherit:
total 0
drwxr-sr-x.  4 chuck media  80 Jul  4 14:00 ./
drwxrwxrwt. 21 root  root  520 Jul  4 13:57 ../
drwxr-sr-x.  2 chuck media  60 Jul  4 14:01 movie2 (year2)/
drwxr-sr-x.  2 chuck media  60 Jul  4 13:52 movie (year)/

inherit/movie2 (year2):
total 0
drwxr-sr-x. 2 chuck media 60 Jul  4 14:01 ./
drwxr-sr-x. 4 chuck media 80 Jul  4 14:00 ../
-rw-r--r--. 1 chuck media  0 Jul  4 14:01 movie2 (year2).mp4

inherit/movie (year):
total 0
drwxr-sr-x. 2 chuck media 60 Jul  4 13:52 ./
drwxr-sr-x. 4 chuck media 80 Jul  4 14:00 ../
-rw-r--r--. 1 chuck media  0 Jul  4 13:52 movie (year).mkv
[chuck@lizum /tmp.141]$

#2