I have a PMS running on Ubuntu (18.04.3 LTS). I’m running PMS version 1.18.5.2309, service uses plex:plex (user:group).
I use NZBGet/Radarr/Sonarr. All of those services kick off with root:root (user:group).
I mount my media drives with /etc/fstab at boot (they mount to /mnt/hdd1, /mnt/hdd2, /mnt/hdd3). Running ls -lah reveals that the owner of EVERYTHING I mounted is root:root (user:group).
Radarr/Sonarr will download media and post it to the correct drive locations. I am assuming that is because the drives are root:root and the services are root:root.
PMS can read the media and stream it accordingly. BUT, I cannot delete the files once I’m done watching them. I know this is b/c the plex user does not have the permission to delete the files owned by root.
My workaround is to replace plex:plex in the plexmediaserver.service file with root:root. This of course get overwritten with plex:plex when a new version is installed. And I wrote a script to handle it.
I am looking for the correct way to handle this. I tried using the setfacl command and I’m having issues with it. I’ve read that a mass ‘chown -R’ is not the answer.
Should I mount the drives differently? Different user?
Should I mount them to a different location? Like /home/plex/media/hddX?
I saw a tutorial about changing the group of drives to something like “multimedia” and adding the plex and root users to that.
I know there are other similar posts out there, but I cannot seem to find one that provides a “best practice”, only suggestions.
Never run Plex as root. We don’t run it as root because it can (and will) delete your media if you aren’t careful.
Use the combination of setgid, where you and user plex are part of that group. You then mark those directories by asserting setgid (chmod) . All future additions will automatically be members of that group with permissions you assigned the parent.
Here is a How-To for implementing this. While I initially wrote for DVR, it works for anything.
@ChuckPa, so just to be clear, the other services (nzbget/sonarr/radarr) are running as root:root. They will always write new media files to the HDDs as root:root. But you’re saying the inheritance function will overwrite that root:root when the file arrives on the HDD?
@ChuckPa, so my main linux user is ‘plexms’. Set that info aside…
Is it enough to follow your tutorial and create a ‘media’ group? And add the root and plex users to that? And change the DVR services (nzbget/sonarr/radarr) to start with root:media?
Or you’re suggesting get away from using root:group_name in my DVR services altogether?
I would very much like your help on this user setup. I know using root:root is not a great idea, and I would like to get away from it…
While I prefer to leverage user. Since you’re writing from a username root process, it’s going to be able to write to the files regardless of the assigned UID/GID. This is a bonus for you. When the file is closed, the UID/GID assigned will be in control.
This is where I usually setup chuck:media.
I have direct access via my UID.
Plex has permission via the GID.
If I write the file, setgid is leveraged to assign chuck:media
If root writes the file, setuid & setgid are both leveraged to assign chuck:media
My use of sudo isn’t needed anymore (which I loathe using)
I definitely agree with the other posts here to not run as root. All non-system level user space apps should run as dedicated users and groups where possible to avoid a lot of potential security issues/risks.
As a side note - do you have any notes on how you got NZBGet/Radarr/Sonarr to work? I have not been able to get them to download anything for me. I’m sure its a setup issue somewhere.
@ChuckPa, so here is the setup I’m proposing, feel free to shoot holes in it:
Main linux user: plexms
Plex Media Server runs as plex:plex
NZBGet/Sonarr/Radarr run as plexms:media
Create a group named ‘media’ and add root/plexms/plex
Run your inherit tutorial, changing the group of all media files to ‘media’
Would you recommend changing the user on the media files as well? Make them ‘plexms’?
So as I stated at the outset, my media are on:
/mnt/hdd1/movies
/mnt/hdd2/tv
/mnt/hdd3/saved_movies
^^^ All of the files on the above directories are currently root:root ^^^
So I already created a group called ‘media’ and I added ‘plex’ and ‘plexms’. I assume next steps would be:
change the pms service to run on plex:plex, reload deamon, restart
change nzbget/sonarr/radarr services to run on plexms:media, reload daemon, restart
change the owner:group of all my media files to be plexms:media
A. sudo chgrp -R media /mnt/hdd1 &&
B. sudo chmod g+s /mnt/hdd1 &&
C. sudo find /mnt/hdd1 -type d -exec chmod g+s {} ; (text editor is removing the backslash before the semicolon!)
D. …repeating for each mnt directory
I’d need more info. What is the problem you are having? Are radarr/sonarr grabbing the nzb files? Are your program-to-program API keys correct? Can you test your indexer connections? Your download client connections?
As a test, hand create some files in /tmp/plexms with touch after having done su to plexms and setgid active (permissions 775/664), then drop back to your normal User account and see how you like managing it that way.
I am a strong advocate of making the machine do the work instead of me typing su - blah all the time.
The goal is for you to see what this linux feature can do for you and how you can best leverage it.
I’m having trouble recreating your suggestion in the last post. I can SSH into the server with either of my users (‘root’, or my main user ‘plexms’). With a ‘root’ SSH, when I ‘su plexms’ and then try to ‘mkdir /tem/plexms’ it asks me for a password, and the resultant folder (ls -la) shows root:root. With a ‘plexms’ SSH, I cannot make the directory unless its with ‘sudo mkdir /tmp/plexms’ and then a password entry. And as far as I can tell (/etc/group), ‘plexms’ is in the ‘sudo’ group.
I know what you are telling me to do, and it was the test I had in my head, so I must be missing some user configruation for ‘plexms’, correct?
@ChuckPa, also, feel free to kill this thread. It has turned into a lesson in linux permissions, rather than a Plex Media Server issue. I don’t want to abuse the forum. I think I have enough info to make something work after some trial and error. Thanks in advance!
Okay, so here’s where I panned out. I think I have one little thing I’d like to figure out, but the main task has been accomplished (running PMS as ‘plex:plex’).
First, I created a group called ‘media’. I added ‘plex’ and ‘plexms’ to that group. I then edited the PMS service to run as ‘plex:plex’. I created some mock folders/files (as ‘plexms:media’), per your suggestion, and was able to delete folders/files just fine.
I then setup inheritance on my media mount points (/mnt/hdd0, /mnt/hdd1, /mnt/hdd2, /mnt/hdd3). All of the files/folder are now set to the owner:group of ‘root:media’. I again tried to delete the folders/files (from Plex) and it worked fine.
Finally, I edited the DVR services (nzbget/sonarr/radarr). This is where it got messed up. I set the services to run as ‘plexms:media’. Some services started (sort of) and others failed to start. I think, and I could be wrong, this is due to the fact that the rest of the DVR service files are owned:grouped as ‘root:root’ and inaccessible by the user ‘plexms’. I believe I installed the DVR services as ‘root’. So for now, I edited the services to run as ‘root:media’ and all is working. Sonarr/Radarr send files to NZBGet, they download and then are renamed and put into the correct folders, inheriting the correct ‘owner:group’.
Thanks for all your help, I will investigate the DVR services ‘owner:group’ issue later…
With your permission, I’d like to leave the thread here.
It does benefit media management for use with Plex and is an expansion of the HowTo’s which are posted under server-linux-tips, true?
As a final test, with both setuid and setgid asserted on the target folders, were you able to verify writing in there with any UID/GID still resulted in the correct UID/GID being assigned? If you have then definitely: mission accomplished.
[chuck@lizum ~.345]$
[chuck@lizum ~.345]$ mkdir /tmp/uids
[chuck@lizum ~.346]$ ls -la /tmp/uids
total 0
drwxr-xr-x. 2 chuck chuck 40 Jan 31 13:02 ./
drwxrwxrwt. 28 root root 620 Jan 31 13:02 ../
[chuck@lizum ~.347]$ sudo chgrp plex /tmp/uids
[chuck@lizum ~.348]$ ls -la /tmp/uids
total 0
drwxr-xr-x. 2 chuck plex 40 Jan 31 13:02 ./
drwxrwxrwt. 28 root root 620 Jan 31 13:02 ../
[chuck@lizum ~.349]$ sudo chmod 6755 /tmp/uids
[chuck@lizum ~.350]$ ls -la /tmp/uids
total 0
drwsr-sr-x. 2 chuck plex 40 Jan 31 13:02 ./
drwxrwxrwt. 28 root root 620 Jan 31 13:02 ../
[chuck@lizum ~.351]$ sudo sh
sh-5.0# whoami
root
sh-5.0# touch /tmp/uids/root-root-wrote-this
sh-5.0# ls -la /tmp/uids
total 0
drwsr-sr-x. 2 chuck plex 60 Jan 31 13:04 .
drwxrwxrwt. 28 root root 620 Jan 31 13:02 ..
-rw-r--r--. 1 root plex 0 Jan 31 13:04 root-root-wrote-this
sh-5.0#
setgid overrides the group assignment asserted by user root.
This allows your containers to be as they are and access as long as they share that common group.
@ChuckPa, I entered an SSH session as ‘root’. I created a file (test.txt) in one of my media folders. And the file had a owner:group of ‘root:media’. Also, I have had NZBGet get several media files since, all wind up with ‘root:media’. And plex can delete the files in media folders. I feel like it’s working correctly. Thanks for all that help!
Any idea why setting the DVR services to ‘plexms:media’ would break them? They’re currently running as ‘root:media’ which works fine, but I really want to get away from using ‘root’ as an owner. Any ideas there? How are you running your DVR services as ‘chuck:media’? Did you have to chown your /opt/ files to be ‘chuck:media’?
I would need to see the logs of what’s happening to know more.
I don’t understand “chown your /opt/” files. There are no files in /opt
PMS is installed in /usr/lib/plexmediaserver by the package manager and owned by root.
Should I wish it, I can create a service override file to change the User and Group Plex runs as.
