Sorry if this has been answered elsewhere, but I can only find topics on share/folder permissions.
The user “plex” defined on my Synology by default has access to DSM, FTP, File Station and rsync.
In the interest of pedantic security, can I safely deny plex rights to those applications?
Just looked and they’re denied on my DS918+ and it does not cause any issues. I do not know if the PMS installer denied things or if I did it at some point. Don’t remember ever checking.
Plex is defined as if any other user however:
synouser utilityHere is the actual script segment
synouser --get plex 2>1 > /dev/null
if [ $? -ne 0 ]; then
# create user with random password
echo "Creating Plex user."
synouser --add plex $(uuidgen) 'Plex User' 0 '' ''
else
echo "Securing existing Plex user"
synouser --setpw plex $(uuidgen)
synouser --modify plex 'Plex User' 0 ''
fi
Having plex be a normal user gives you full control over what shares it can see on your NAS.
@FordGuy61, thank you.
@ChuckPa, that’s cool. I have no issues at all with plex being a defined user, I was just interested in reducing attack vectors. With “plex” being a well-known username on every Synology running PMS, it becomes a vector that an attacker could possibly use. Hypothetically let’s say there was a vulnerability in DSM that somehow allowed access without a password as long as one knew a valid username. Hopefully denying that user access to DSM would mitigate that.
Ideally the plex username would have a uniquely (to each installation) generated suffix at the end, e.g. plex-A6zw2J, so that it was extremely difficult to guess, and even then I’d likely deny it access to the apps. It looks like that would be very difficult to do given the requirement of using the synouser facility to query for an existing user unless that value were able to be derived consistently from data available prior to making the query.
I appreciate your time and assistance.
@ChuckPa, looking at the CLI guide, it looks like it might be better to use a zero in the last parameter, “app_privilege”, of the create user statement rather than the ‘’. I would assume that ‘’ equates to a null or empty string when it’s looking for a number.
synouser --add plex $(uuidgen) 'Plex User' 0 '' ''
would become
synouser --add plex $(uuidgen) 'Plex User' 0 '' 0
Sorry to go on about this, but I noodled on doing the suffix-style plex userids.
So we start with 3 cases:
Going to just high-level the process…
set plex_username to “”
use grep “Official Plex PMS User” on /etc/passwd to determine if new-style user exists
The rest closely follows your existing process with slight modification:
use synouser to check for classic plex userid
- create userid: synouser --add $plex_username $($uuidgen) 'Official Plex PMS User' 0 '' 0`
- rename the classic account: synouser --rename plex $plex_username
- reset the password: synouser --setpw $plex_username $($uuidgen)
- modify the account: synouser --modify $plex_username 'Official Plex PMS User' 0 ''
To summarize, this is all very likely easier said than done 
, but maybe worthwhile for security purposes in the future.
I appreciate the input but
plex. It’s established.Your thought-experiment has given me some additional input for securing the the account even further. I will do this.
To answer your OP.
plex the same as you would any other Linux service account like lpd, sync , mail, etc. Plex Media Server is a service application on the host – Nothing more.Thanks for your time and consideration.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
