At first I noticed it as shows that wouldn’t have their poster or other view show up, they’d be blank. Or subtitles I knew where there wouldn’t show up. Root caused back to various directories in the plexmediaserver directory being set to root ownership instead of plex:plex.
I reset it back to plex:plex and set the permissions to 640 to ensure that plex was the only entity that could change the files. However it keeps reoccurring. It’s as if plex is doing it itself. I sure am not doing it and I can’t figure out any other way random files/directories would be changed to root ownership.
PMS and DVR run as unprivileged user plex. Unprivileged users do not have the authority to change ownership
[chuck@lizum /tmp.131]$ touch example
[chuck@lizum /tmp.132]$ ls -la example
-rw-r--r-- 1 chuck chuck 0 Jan 30 23:59 example
[chuck@lizum /tmp.133]$ chown root example
chown: changing ownership of 'example': Operation not permitted
[chuck@lizum /tmp.134]$ ls -la example
-rw-r--r-- 1 chuck chuck 0 Jan 30 23:59 example
[chuck@lizum /tmp.135]$
I checked all three items you mentioned including rkhunter.
I didn’t find anything obvious that would be making those changes. However, I did make some observations which might lead me to the issue.
First, it’s only a bundle directory which has those permissions: 775 root root plexmediaserver/Library/Application Support/Plex Media Server/Media/localhost/1/debc5e58455184a8cd30458cb74cf15f860f918.bundle 775 root root plexmediaserver/Library/Application Support/Plex Media Server/Media/localhost/1/debc5e58455184a8cd30458cb74cf15f860f918.bundle/Contents 775 root root plexmediaserver/Library/Application Support/Plex Media Server/Media/localhost/1/debc5e58455184a8cd30458cb74cf15f860f918.bundle/Contents/Art 775 root root plexmediaserver/Library/Application Support/Plex Media Server/Media/localhost/1/debc5e58455184a8cd30458cb74cf15f860f918.bundle/Contents/Thumbnails
Second, I do post-process the recorded TV shows. This involves encoding and essentially creating a new file which replaces the one created by plex. The plex file was ‘plex plex’ in it’s ownership, while the new file created is ‘root plex’ since it was created by a cron job run by root.
Is it possible that whatever mechanism is running to create the thumbnail/art/etc. running on a file owned by root can affect the directory ownership of the bundles directory?
Ah, I think I have a better alternative on what may be occurring. Because not all of my changes are being noticed by Plex, I run the ‘plex media scanner’ as root.
If the ‘plex media scanner’ is run as root instead of from Plex, is it possible it tries to create the bundles as root as well?
Why are you running the scanner as root? When you have file permissions for your media correct, root is not needed.
I suggest you start 'stepping backoff theroot` perms and making sure that if you do process files as root, you do so in a temp directory then get the permissions right.
When you do invoke the scanner, invoke it as plex (su plex -c ........ )
I have a post-processing run from cron as root. I discovered Plex wasn’t catching the changes so I added in a call to the Plex media scanner to ensure all changes were caught. Everything was run as root.
I’m pretty sure this was the cause. Perhaps it would be good to have a fail-safe check in ‘plex media scanner’ to ensure it is being run as ‘plex’ otherwise the files/directories it writes will not be accessible to the ‘plex’ user. If it’s a mistake to run the scanner as anyone except for the plex user, this should be enforced by the scanner.
@ChuckPA
Given that running the Plex Media Scanner as any user that is not ‘plex’ will result in a type of corruption to the Plex directory structure/database (since the created files won’t be accessible to Plex). Wouldn’t it be safer if Plex implemented a basic user check and terminated gracefully if not run as ‘plex’ to avoid corrupting it’s directory structure?
I ask this as a rebuttal question (healthy debate).
Why should user plex always check to see if its files are being manipulated by some external agent without its knowledge?
If you went poking around in C:\Windows\System32 and changed things there, what would be the reply from Microsoft?
Trying to code every single file I/O operation to safeguard from every conceivable intrusion is tantamount to asking Windows to safeguard itself. Therefore, respectfully, if you’re going to play in the PMS’s home directory, please know what you’re doing.
The point I was trying to make is that ‘Plex Media Scanner’ is a publicized interface that users can run as an alternative way to scan for new media. Because Plex itself created it and made it available to end users, it isn’t similar to your example where you are sneaking into the System32 directory to do random damage. If Plex didn’t want users to run ‘Plex Media Scanner’ they could remove it from the release and not publicize it.
Also, the point is I’m not making changes to the PMS home directory, ‘Plex Media Scanner’ is making the changes from a public interface Plex created. It’s similar to a user using the web interface, another public interface. Part of good programming is checking your inputs and not doing something stupid because one of your inputs was garbage. In this case, I’d consider who it’s being run as as part of the input the user is bringing to the public interface. Plex should ensure everything lines up and is correct before modifying the PMS home directory.
When the scanner is run, via the public tools / api, as user plex, everything works fine and the entire point of file permissions is immaterial and not relevant.
in your cron script, launch the script which runs as user plex and calls the public API tools. this is not rocket science.
Installation creates PMS’s home drectory owned by user plex and fully prepares to be run by the non-privileged user plex:plex.
SystemD launches as user plex:plex, which by nature of Linux, all files created by those processes are owned by the UID/GID of the PID creating them.
Do you know how long startup will be delayed if PMS has to wait and check all the files in a 15GB Library directory?
Plex should ensure everything lines up and is correct before modifying the PMS home directory.
To accomplish what you ask, on a small - medium sized database (700 movies & series), on an 8-drive Synology DS1815+ NAS requires:
sh-4.3# date ; chown -R plex:users Library ; date
Wed Feb 22 22:25:35 EST 2017
Wed Feb 22 22:28:58 EST 2017
sh-4.3#
I don’t see a need to go into the Plex Home Directory to check for and correct issues. I agree that would take a unreasonably large amount of resources to do.
The ask is that PMS not create damage to the Home Directory if it’s run as another user besides ‘plex’. This can be done with a one line check ‘whoami’. If the return from the call is not ‘plex’, then PMS can simply refuse to run.
After doing this the hard way I now know not to do this. Currently I am running as ‘plex’ and doing it correctly. The issue is that in my first attempts ‘plex’ happily ran it as ‘root’ and I had no idea that it was silently messing up the plex home directory. If it had refused to run as ‘root’ saying “Please run as ‘plex’”, I would have realized my mistake and run it as ‘plex’.
If PMS shouldn’t be run as anyone except ‘plex’ then failing with an appropriate message is both cheap and the right thing to do so users know the correct way to run instead of inadvertently messing up their directories.
Running PMS as another user is supported using the standard SystemD service overrides. I thought I made sufficient announcement and wrote appropriate documentation for the support pages when this was implemented back in August 2016.
This isn’t recommended unless you’re skilled in what’s being done here. Here’s what it would take to make PMS run as my username in my home directory. Maybe this gives you what you need?
Created as root /etc/systemd/system/plexmediaserver.service.d/override.conf
The contents of this file are:
#
# Reconfigure PMS to run as my username in a directory under my home directory
#
#
[Service]
Environment="PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR=/home/chuck/plexdir/Library/Application Support"
#
#
User=chuck
Group=chuck
From the linux command line:
sudo sh
systemctl stop plexmediaserver
cd /var/lib/plexmediaserver
tar cf - ./Library | (cd /home/chuck/plexdir ; tar xf -)
cd /home/chuck/plexdir
chown -R chuck.chuck .
systemctl daemon-reload
systemctl start plexmediaserver
I appreciate your thorough explanation on how you can run Plex as another user. In my case, I don’t want to change from the default, I just didn’t know better.
Running my post-processing from cron defaulted to running as ‘root’ and I didn’t realize that running as ‘root’ would do harm. It was easy enough for me to make the adjustment to run as ‘plex’ after I realized the problem. I just didn’t realize that it would be damaging my Plex directory to run the Scanner as ‘root’. It just never occurred to me.
As I had run the installer as ‘root’ and it installed fine, I didn’t realize running the Scanner as ‘root’ would carry the user into the Plex Home directory ownership, messing up permissions.
Your other point is probably that if someone did follow your instructions above and ran it as ‘chuck’, then running PMS as ‘chuck’ is the right thing to do, and running as anything else would be creating damage to your Plex Home Directory. Given that is a possibility, the check needing to be performed would get more complex and Plex would need to check against what it is normally run as to see if it was different.
The scanner is username sensitive. As root, it will not respond but as user plex it will.
I cite the following
[whoami@lizum plexmediaserver]# whoami
root
[root@lizum plexmediaserver]# ./Plex\ Media\ Scanner --list
[root@lizum plexmediaserver]# su - plex
-bash-4.3$ export LD_LIBRARY_PATH=/usr/lib/plexmediaserver
-bash-4.3$ cd /usr/lib/plexmediaserver
-bash-4.3$ ./Plex\ Media\ Scanner --list
11: Chuck
20: GHI video
19: IPhone Photos
18: Links
1: Movies
8: Music
5: Requested Movies
4: Seasonal Movies
3: Television
12: Test Movies
15: Test Series
17: TV no-data
2: UHD Movies
-bash-4.3$
I’m sorry, but you’ve not convinced me how running as root, using the documented API (Plex Media Scanner) will cause the issues you claim.
I am fully aware, having done it myself, running a script as root from cron can and will trash an entire machine not just PMS>
Just reading information from your library won’t mess it up.
Take a case where you have change detection turned off, ie “Update my library automatically” is disabled so it will actually find changes that need to be processed.
Add media to your library, “1” in this case.
Now initiate a scan:
Plex\ Media\ Scanner --scan --section 1
When the PMS creates directories in it’s Plex Home directory, those directories will be owned by the user that is running PMS.
When Plex itself runs and tries to access the directories created during it’s scans, it will find it cannot use the directories because it doesn’t have the permissions and isn’t the owner.
This was the case I was running into. I had a post-processing cron job running as ‘root’ that would make changes and then call PMS to pick up the changes. I later found that subtitles and posters were not updating. We finally debugged it to permissions in the Plex Home directory. That was traced back to PMS being called with ‘root’ and creating directories in Plex Home when it was ‘root’.
You called the scripts as root nobody else. You are responsible here for creating files which unprivileged user plex:plex cannot operate wtih. I’m sorry but you created the issue.
If you have a problem with the state it’s in, I respectfully suggest you uninstall PMS, delete user plex, delete /var/lib/plexmediaserver and begin again from scratch as you are the only person with this issue.
I am reopening this thread as i do not see a reason to close it.
The main issue as I see it. If there is some bug with the scanner itself in it’s default configuration/permission settings that is one thing. However you are intentionally changing permission and how the plex scanner runs. If you alter things yourself, you are responsible for the results of that change there is only so much we can advise on in that case.
I currently only run the PMS as ‘plex’ to avoid this issue.
My directory permissions are currently correct as I manually corrected them after I found the cause.
This was raised mainly to point out a gap, either in your documentation or in your PMS program assumptions.
If the following conditions are met, then PMS will corrupt a user’s Plex Home directory.
Condition #1: You run Plex as the ‘plex’ user (which is default)
Condition #2: You run a PMS scan as someone other than the ‘plex’ user and there are items that are discovered.
Conclusion:
If you feel the percentage of individuals meeting the above two conditions is small and not worth fixing, that is fine. But I point out that all that’s needed to expose this issue is for the scanner to detect new items while not being run as the ‘plex’ user. This isn’t mentioned in the PMS command line documentation as a requirement.
You can decide if this is worth your time to fix, I’ve already run into and recovered from this. My main concern was that anyone else who uses the command line PMS might also run afoul of this as well, and it’s a bugger to root cause back to what caused it.
