Hi,
I’ve installed PMS from the Synology package center.
I created the Plex user.
When I went and check in the User Accounts, I see that the Plex user is not only a regular user but is also part of the administrators group ?
Is it required ?
I’m thinking of removing it from the Administrators group for security reasons.
If you remove PMS from the administrators group, there are consequences.
plex to every share which has media in it that you use.PMS runs as user plex. It only had the administrators group so it could read your pre-existing shares which you’d forgotten to give permission to read. Adding to administrators was a Synology ‘nit’, not a functional one.
The choice is yours. Just be certain to test and, if you find you’re losing media from your library, double check your share permissions before coming to and saying there’s a probem.
Then I’ll keep it.
Anyway, Plex password is not known by anybody so there isn’t really any risk to keep it like it is.
Thanks.
@ChuckPA said:
2. Every time DSM ‘burps’ (which it does approximately every 60 days) you will need to go back and re-add those
Sorry to revive an old thread… but what do you mean by DSM ‘burps’?
Also, is it safe to disable the plex user account in DSM? Even if the password is unknown, I find it unsafe to have a user account for which I don’t know the password to be on the administrators group.
DSM 'burps" in that unpredictably, DSM’s database, which maintains the share permissions assignments, will forget half of the information. In other cases, it forgets all the information. The specification information it forgets is that user plex has been granted permission to read or read/write your media shares.
Regarding the password to the plex account, there is no reason for any regular user to access it. If you have such need, you will have the root password which is infinitely more dangerous. Further, without knowing the exact microsecond the uuidgen command runs, the chances of anyone being able to brute force or guess the password are incalculably small. As analogy, shoot two darts at the moon and have the second one strike the first one.
You knowing the password for user plex is infinitely more dangerous because human beings are predictable.
All having been said, if there is enough need, I could generate a new random password each time PMS is updated/installed further decreasing the possibility of intrusion as well as preventing accidental exposure but I do need it to be in the administrators group. Be advised, administrators is not root. I have no need ever to run as user root. I insist on preserving the integrity & security of the box not violating it.
@ChuckPA thanks for your reply and answer. I will keep that in mind.
For what it’s worth, I disabled the “plex” user account, and haven’t seen any side effects of it yet.
Disabling user plex only removes potential GUI (login) access.
Disabling is not the same as changing fundamental runtime environment.
I’m sorry but Plex does not need admin rights. It runs just fine without it (been doing it for a couple years now). The ports it opens are all non-privileged, it gives itself full access to the Plex share, and adds itself to the video group to access the hw transcoding devices.
I’ve never experienced any kind of ‘burp’ on file permissions.
I do not want Plex to have unfettered access to all my files on my NAS. Realistically a member of the administrators group will have at least read access to all the shares (that’s the main reason Plex adds itself to that group from what I understand). If somehow Plex server gets compromised, all my files on the NAS become exposed. This is not acceptable to me.
I have to fight with Plex every time I update it because it keeps re-adding itself to the administrators group.
This is the culprit in /var/packages/Plex\ Media\ Server/scripts/postinst
# Verify the plex user is in administrators group (Syno share perm fix)
if [ `grep administrators /etc/group|grep plex|wc -l` -eq 0 ]
then
sed -i '/administrators:/s/$/,plex/' /etc/group
fi
I actually have a cron task to automatically remove the plex user from the admin group:
#!/bin/sh
# Verify the plex user is NOT in administrators group
if [ `grep administrators /etc/group|grep plex|wc -l` -gt 0 ]
then
echo "Removing plex from admin group"
sed -i '/administrators:/s/,plex//' /etc/group
fi
Plex, please remove this from the install script. For existing users the plex user will stay in the administrators group. For new users (or the ones that remove it), it will no longer have system wide admin rights!
Or at the very least, only add plex to the administrators group when you first create the user. If people like me want to deal with the complications of more fine grained permissions, let us do it in peace!
Thank you for the feedback. I’ll look at all the different configurations before I issue the next update to the scripts.
Under DSM 5, it was required. Now that Synology has implemented udev in DSM 6, it indeed doesn’t seem necessary.
If I indeed remove it, I will also make certain to make changes retroactive to older as well.
I went and looked at the distribution files for Synology.
I then went and installed on a fresh instance.
plex isn’t in the administrators group
#$_@GID__INDEX@_$65536$
administrators:x:101:chuck,admin
avahi:x:84:
bind:x:53:
daemon:x:2:daemon,root
dbus:x:81:
dovecot:x:143:dovecot
FileStation:x:179652:
ftp:x:21:ftp
http:x:1023:
ldap:x:439:
log:x:19:root
lp:x:7:lp
maildrop:x:126:
mysql:x:66:
nobody:x:99:
ntp:x:87:
postfix:x:125:postfix
postgres:x:55:
root:x:0:root
rpc:x:32:
smmsp:x:25:
SynoFinder:x:195341:
system:x:1:system
users:x:100:
video:x:65536:plex
wheel:x:10:
Well I don’t know what to tell you, the lines above are in script found in the latest 1.13.0 spk, and they sure add the plex user back to my administrators group.
I see it. I’m looking in the source code logs. I don’t know how, but there was a regression or my changes did not get committed. That’s on me. I’m taking care of it now.
Thank you for catching it and making me take a hard look. I had a few moments of HUH? trying to determine what was truth and what was incorrect.
I’ll do a few quick checks but all should be fine to rip it out.
Before I do and then regression test on the lab systems, are you running on a Syno with HW transcoding capability??
Yup, DS716. HW Transcoding definitely works (it looks like even better in the new 1.13 version).
Regarding the file access rights, as far as I know, all users are automatically added to the “users” group, which I would assume by default gets at least read permissions on shares. This should be good enough for plex to find and index the user’s media.
However there are a few cases I know of where Plex needs to write files as well:
Since Plex allows the user to select the location of optimized versions and recordings, maybe it’s all good to let users select a location writable by plex. But I think at the very least it should be explained somewhere that pleax needs write access to that folder.
Personally I have it setup so that:
That way Plex can add its own files to my Library but not change existing files, unless it created them. It also helps keeping recorded and other media separate.
I can, and will, remove the administrators group membership for user plex even though it is of no consequence because it is truly no longer needed. You can verify this by looking at the file versus looking in the UI. I do not interface with the Synology permissions database (I don’t have the password or schema information). Changes made in the GUI are not reflected in the files and visa versa.
I see no justification for burdening PMS with ACL support for one platform. It is, imho, asking for a permissions management disaster for those users who do not understand the intricacies.
Media management is, and will always be, ultimately the user’s responsibility. If you capture television and record it, it’s already your media… You subscribed to it external to Plex. It’s yours to take care of.
I will state here and now, I will not debate this. It is a level of micromanagement I feel is unwarranted. If a particular person wants a certain management for his/her data then it is his/her decision. I will not support pushing one person’s agenda on another.
Agreed, I don’t think plex should get in the business of managing access rights.
I just wanted to make sure it’s documented somewhere that plex does need write permission for some things and wanted to provide my approach for whoever might be interested.
Again: On Synology, Plex Media Server purposefully runs as unprivileged user plex. This mandates the user (owner) grant those permissions to write as needed.
This topic is now completed and closed.
I’m sorry for necroposting, but I’m looking at my Synology 918+, DSM 6.2.1-23824 Update 4, Plex 1.13.4.5271 (the latest officially available from Package Center; no sideloading) and the “plex” user is very much in the “administrators” group both when looking in the Control Panel and listing the /etc/group directly:
#$_@GID__INDEX@_$65536$
administrators:x:101:admin,zbig,plex
Is that another regression or a deliberate reversal on the decision not to add plex to administrators anymore?
I am keeping the administrators group membership only for DSM 5.2 backward compatibility.
When DSM 7 comes out, is stable (key element here), and DSM 6 becomes maintenance mode which retired DSM 5.2, I will remove it.
In DSM 6, I use the udev mechanism for hardware access. This runs at the OS level and below all interactive sessions.
If you remove it manually , You will have some issues with USB tuners. This is because some USB tuners have 3rd party additions to DSM. I have no access to them without administrators group but am also working a solution.
TL;DR
Does this shed some light?
Hello Chuck,
thank you for taking the time for this comprehensive answer. However, regarding 4.: the thing is I’ve just removed the explicit permissions for user “plex” to my media directories and it’s still able to access and stream them just fine. Both from my home user directory and outside it. Also, when I use the “Permission inspector” in DSM on any of the DSM directories, it resolves to “plex” having full permissions to everything.
Regards,
Zbig
Zbig,
It resolves because of plex being a member of users group on the newer models.
Shares you create under your username are also in the users group.
Not all systems are defaulted this way. I am still maintaining DSM 5.x compatibility.
The quintessential part here is the Plex share and being able to manually access logfiles when it fails to start. Previously, the Plex share didn’t exist. If log files were needed the only option was to retrieve manually. Engineering finally gave us “Download Logs”.
Being in the administrators (an unprivileged group) works when Plex is running, regardless whether you are signed in as user admin or yourself). This is because the need still exists to gather them manually by writing to the share to create the ZIP.
Please never forget administrators is an artificial construct on Synology’s part and only has permission to do certain things through their GUI. At the Linux level, where Plex runs, it is just another unprivileged user. This is why, immediately after signing in as admin, the first thing you do is elevate to the real admin (root)
I am planning on making changes to how things are done (major overhaul actually) on Synology.
To share insight what I am thinking:
Pros & Cons
1, Plex and any other user accounts are now isolated
2. Without expressed access permission to shares, there shall be no access
3. User admin access will serve only the Synology-designated purposes afforded it through their GUI.
4. Careful examination of those privileges will reveal user plex cannot write to your media directories. You must explicitly grant R/W if you want to do any DVR recording.
5. Media can’t be deleted through Plex without R/W permission. If you wish to test this, please do. Should it actually delete the media, you’ve now found an error in your configuration which completely bypasses Linux UID/GID permissions. Time to go find and fix.
I do have a couple questions.
This is the age-old “it’s an appliance to be used in your home by trusted members of your household -VS- hostile users on the open internet” . If nobody is trusted, why do they have access?
