@ChuckPa May I suggest trying on Ubuntu 20.04 for the Linux HOWTO switching to a command based on the following instead of chown and chgrp. You can maintain full control of the multimedia directory without having to control so coarsely the permissions for all groups. The command specified below allows you to assign a read/write permission to plex while others still get only other appropriate permissions.
sudo setfacl -m u:plex:rw /multimedia/
I agree file ACLs are useful in the right circumstances.
It has been some time since I wrote the HowTo.
My concerns are:
File ACLs are not applicable to all file system formats
Those learning Linux might better be served with the simpler concept of Owner (their username) and a group (plex) having access to the files as most new users are coming from a Windows environment where the concept of multiple users exists in a completely different context / mechanism. ls -la is the one command which will show them everything they need in the early stages of mastering the command line.
NAS mounts do not always support ACLs. I feel a minimal level of uniformity in those early steps helps get folks started. As they do advance their understanding and mastery, I do completely agreee that ACLs can be brought into more active use.
I will again review the How-To and update it to include a few more methods for granting access.
This all not withstanding, basic permissions UID=the user, and GID of âplexâ better give basic access. If it doesnât then there is information missing.
In that same breath, UID=user, GID=user, with chmod -R o+r /parent-directory-name will grant the needed access to user plex and be as effective as setfacl while still being visible inls -la
@ChuckPa Actually setfacl allows for it to be used on files and directories. The right switches and paths just have to be used.
I am aware.
Put yourself in the place of someone learning Linux. Theyâre already overwhelmed.
How do we keep it as simple as possible, providing maximum reinforcing success with minimal overload ?
FYI: I added the following above:
In that same breath, UID=user, GID=user, with
chmod -R o+r /parent-directory-namewill grant the needed access to userplexand be as effective as setfacl while still being visible inls -la
sudo setfacl -R -m u:plex:rw /multimedia/
I hear you but I donât think youâre hearing me.
setfacl mandates use of getacl.
Simplify.
Could a script be prepared which the user runs which they give some of the parameters for to, which calls these two together. The script runs these commands performing the privileges setup for preparing the ACLs.
Or we could stick with the present, Iâm just cautious about allowing too much permissions to users and groups out side of plex and other appropriate users.
Please define âtoo much permissionsâ ?
Thereâs you and the system services / apps you run.
Are you not in control of that which youâve installed?
With that, this is so far off topic that I have moved this discussion to its own thread.
I will, as promised, look into expanding the HowTo for those who wish to run ACLs but do feel ACLs are much more advanced than the typical user of the How-To and the intent of the HowTo (provide basic connectivity and access across a wide variety of Linux platforms and operating environments - including containers)
Yes, a script could be prepared but thatâs like handing a sledgehammer to someone when the dresser drawer wonât close all the way.
There is no way the script author can predict the nuances of everyoneâs needs / installations.
Itâs more dangerous than taking the time to teach how to perform whatâs required.
What if they typed sudo chown -R chuck:chuck / when they meant sudo chown -R chuck:chuck /nas (hit enter too soon)
Linux is powerful. They need learn this. Iâve taught unix/linux classes and this is always the point where people trip because itâs no longer a âclick the buttonâ (like windows). A script masks both the lesson and problem.
Alright stick with chown for the basic userâs howto. However the ACLs would be useful for more advanced users, and/or users who wish to âbullet proofâ their PMS servers.
I wholeheartedly agree. ACLs do make it bulletproof.
Couple that with AppArmor or similar to re-enforce it further via an Plex Media Server profile to control what can be done.
sounds extreme for a home appliance. Do you not trust your family members? Do you not have a proper firewall ? Do you download unknown applications on your server?
I do have a firewall, but given unknown vulnerabilities, and remote access functionality protecting against unexpected requests and exploit possibilities. Controlling code integrity is important so that its process is protected.
No unknown applications, just ensuring via security that it is harder for unknown 0days, and known vulnerabilities to be exploited when found.
Windows has a variety of virtualisation based security technologies, Linux currently doesnât thus this hardening is further required.
We virtualize all kinds of things in Linux (DoD / Govt) and donât have the vulnerabilities you elude to. If we can operate at those security levels with that degree of confidence then I fail to understand.
Comparing Windows vulnerabilities to Linux has no merit. Windows has always been a train wreck looking for a place to happen. I donât have a virus scanner on Linux and have never needed one â even when running a Windows VM. If a file contains a virus, it just sits there â unable to propagate or do any damage / info gathering because it has no means to function.
Iâm referring to things like DeviceGuard and CredentialGuard under Windows 10 1903 and Windows Server 2016 or above. This is virtualisation based as a foundation. DeviceGuard does memory isolation, as well as other code integrity functions and CredentialGuard does the equivalent for authentication credentials.
Linux doesnât to my knowledge have anything similar to this in current distributions or the kernel.
Also with the vulnerabilities Iâm not explicitly referring Windows vulnerabilities on Linux and vice versa. Iâm referring to the system specific vulnerabilities for that specific operating system Linux vulnerabilities on Linux and Windows Vulnerabilities on Windows.
Again, youâre applying Windows vulnerabilities to Linux which no such vulnerabilities exist.
The kernel ring architecture of the OS (with gates only through specific vectors) prevents that which Windows, by nature, cannot.
Why do you think Microsoft is making such a hard thrust at obtaining license to use Linux as their kernel?
Alright the kernel is isolated. How about the credentials are they securely isolated in a secure SVMM or TPM area?
Credentials donât even need be located on the host. Is that secure enough?
What about on the host where they are stored?
