Plex ignores host OS account permissions somehow

Plex Media Server Desktops & Laptops
1

I installed Plex media server as an admin. I run Plex media server as a user on a user account in windows 10.

It seems like there is a major issues in the setup:

  1. I can browse the administrator folder from the Plex > Libaray > Add Library > Browse dialog while logged in as a user. Plex has full access to all restricted folders. Why is this possible?

Its completely ignoring the OS user account permissions structure. Possible security vulnerability, possibly bad design decision.

While I’m at it…

  1. Why does the web interface even have the option to delete from the file system?

The application layer should never be changing the file system later from the playback library. I know I can check the box and “prevent.” I should have to because it shouldn’t be there to begin with. Bad design

2

I don’t know about your other question but the answer to this one is that it was a MUCH requested feature.

Note: You can turn that off/on in the server’s settings.

1 Like
3

Surely this would be a Windows OS bug rather than Plex bug if It is allowing access when the permissions are clearly set not to.

Have you checked permissions to see if there is HomeUsers group with read-access to all local users?

4

Windows explorer and powershell disagree with your statement. I’m not researching this, I am simply pointing out a vulnerability that can affect the file system on a compromised plex account:

  1. gain account access
  2. add library for desired folder (plex ignores permissions at the windows host level)
  3. toggle allow delete from plex
  4. delete from library
  5. lol all the way to the bank
5

Will have it looked into. Thank you. I do not understand why windows is allowing a process running in different user account access directories that account has no access to

6

Are you probably running Plex server as a system service?
And if so, did you choose the System account for it?

1 Like
7

yes, you’re correct. plex is using elevated credentials from the service account to browse the file system but shouldn’t be. administrator privileges should not be inherited by a user that is not an administrator. pretty straight forward.

8

If Plex is running under the system account, then it accesses the file system as such.
The proper way is to pick a regular user account (or create one especially for Plex).

Running Plex as System is pure madness.

2 Likes
9

this was an unmodified, normal course install. the installer requires administrator credentials to run. careful where you point the finger.

edit:

how the installer assigns how the service should be run is left to the development team.

i’m sure they will appreciate your leap to call out their madness.

in the mean time, it looks like you’re right. perusing my firewall, I am curious what the following talk backs are doing even though I opted out.

plex seems to want to know more about me than microsoft. oh i’m sure its secure. until its breached!

i will be uninstalling and saying goodbye. how anyone trusts this platform is truly madness.

10

God this platform sucks

I get an “Invalid password” error when I try to delete my account

ridiculous

maybe you can do some actual work and delete my account for me.

11

A normal install of Plex is not running under the administrator account. It is also not running as a system service.

Are you saying you did not use additional software to make Plex run as a system service?

12

I can see that you are not happy - but I have just done some testing and the results were as follows
I had Plex Media Server run as a Service with a plex account. The plex account was at this point an admin account, I changed the account type to be a normal user - non admin
I could still access paths within an admin account for which the plex account has no permissions

I then rebooted and tested running plex outside the service - I had no access to the areas the plex account did not have permissions

I then shutdown Plex Media Server and launched it as a service and that worked in same way - there was no access to the areas that the plex account had no permissions

See procmon capture

image
image943×530 122 KB

and Plex Web screen

image
image943×530 107 KB

It must mean that after changing the account type the service needed to be restarted

I do not know if your plex service account was an admin account before or not.

13

My earlier tests were for when Plex Media Server.exe is run as a Service.

I will test running an elevated installer for a manual install and launching at the end and also will test the auto updater through the Plex Updater Service to see if we have an issue there for systems where the Plex Media Server account is non admin account

14

I didn’t think you could run Plex as a service without additional software being installed? By default it just runs as an app, not a service.

15

That is correct - but there are many users that use cjmurph’s wrapper - see PMS as a service

I will be testing the auto updater with non-admin account later today

16

Yes, I’m aware of that wrapper (I use it myself) - just wanted to make sure the OP understood that the wrapper isn’t an official Plex component.

17

I do not even know if it is being used. I don’t think it was stated although there was a reference to a Service. Not clear if it is or if the reference was to the Plex Updater Service and auto updates causing the problem

18

I have done further tests supplementing what I already reported on here Plex ignores host OS account permissions somehow - #12 by sa2000 and I have not been able to reproduce the issue

The tests carried out

  • Stopped and Deleted the PlexUpdaterService to make sure we are starting afresh for the test
  • Uninstall Plex Media Server
  • Using a non-admin windows account run the installer for version 1.13.2.5156.
  • Give credentials for Admin account when requested to run the install
  • At the end of the install, clicked on Launch
  • Using Plex Web edited a library to attempt to add path for media in a Windows Admin Account - the user name directory was visible but no content.
  • I was not allowed to see any of the files within the admin account

I then did a second test - used Auto Updates through the Plex Web interface to download and install version 1.13.3.5223. On completion and auto launch of the new version, I was still unable to see any of the admin account directories

The only time the issue arose was when Plex Media Server was run as a service through a windows account that was initially an Admin Account but later changed to standard non-admin account - without restarting the service

Were you running Plex Media Server as a Service ? Were you making changes to the account type - switching from admin to non admin?

If you can reproduce the problem and provide us with logs and evidence that it is happening, I would be happy to look further

19

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.