Plex ignoring Synology "no access" permission

Server Version#: 1.16.3.1402
Player Version#:

Hi,

I’ve recently finished setting up a Plex server on my Synology DS213j and am about to make it accessible over the Internet. However, today I realised that Plex is able to access many different folders that I have not granted it access to. Notably the root “/” folder, and also few other shared folders, where I have specifically assigned “no access” to them for the “Plex” user in the Synology DSM.

By “access”, I mean that I can navigate through the NAS file structure in the Plex web interface and see files that I’m not supposed to be able to see. I’ve no doubt that the Unix permissions will not allow me to do anything to these files via Plex, but I’d rather Plex obeyed these permissions properly. Anyone have any ideas on how to achieve this?

Are you updating from a pre-1.15.4.994 version?

If so, one required step after installing is to reboot.

Please read here for my complete post regarding this matter.

This having been said, As owner of the NAS, and administrator of the PMS server, you do need permission to see your way to navigate to where the media is?

There is a profound difference between seeing while navigating and user Plex actually being able to read it.

Thanks for the speedy reply!

Full history - I tried Plex on my Synology a couple of years ago but didn’t have much luck with it, so uninstalled. I’m now giving it another go and installed a couple of days ago, firstly from the Synology Package manager, then a manual install via the latest .spk file when prompted by the Plex web interface.

Admittedly, I hadn’t performed a reboot but I just have and the issue persists.

Point taken about not being able to navigate to my media, but I’d rather manually set what parts of my NAS file structure the Plex app is able to see in the DSM. I’d like to have just my media folder and the “Plex” folder for metadata etc.

Just checked the group permissions, and the user “plex” is in the “users” and “video” group - definitely not “administrators”. Have checked the plex process with htop and PMS is definitely running as user “plex”.

Here’s the problem;

On a Synology, your main access and where you store all your data is under /volume1 which you control through the Control Panel - Shared folders - Permissions tab. Should you have a larger model, or partition it differently, you might have /volume2 and/or /volume3 . These are the Synology-assigned names for each logical disk group. These are shown to you in Storage Manager.

There is no user-data above these points. Everything is generic OS programs and data.
Everything on the Volumes is yours and completely under your control. If you don’t want Plex to see it, it can’t.

Where a misunderstanding often comes in is, just like Windows, sure you can see C:\Windows and read C:\Windows but would you put media in it? More importantly, do you see it from the Desktop? The answer is No. You see your desktop. You must specifically navigate to get to C:\Windows. Linux is a bit different and Synology’s implementation of their storage on Linux is grafted into the typical Linux hierarchical file system .

Windows always has devices at the top. There is no such concept in Linux. Everything is grafted into a hierarchy tree. This is why you see /volume1 represented as it is.

Because you need to be able to tell Plex where you store your media, You, as machine admin, must be able to navigate to the correct folders. This is why you see the operating system’s folders as you browse down to where your media is.

On DSM, you see your Volumes from the Desktop. The entire OS around it is hidden. Synology wrote very DSM-specific code to do that. Plex will run any Linux machine. It cannot make any assumptions.

This isn’t a problem of security or ignoring permissions.

DSM set the permissions so all applications can read the OS directories. Without this, DSM would not run .

With respect to all your user data (which is what is important here), I have reduced PMS to the absolute minimum permission level. It is a ‘generic user’. Your DSM sign-in has more permission than the Plex user (when PMS starts).

Those operating system folders you see as you navigate down to /volume1 are so small, you can’t fit a video file in them.

Please accept this is the nature of Linux.

Thanks again for your detailed explanation. I can accept seeing the system files as a consequence of needing to “drill down” to my correct media folder location. There are also no DSM accessible permissions for these system file locations so I can see past it.

However, I am still able to navigate through (down to file-level) almost all of my shared folders via the Plex web interface - even the ones that I have specifically granted “no access” to in the DSM.

An example - I set my shared folder “Backup” to “No access”, then rebooted my DSM. On reboot I am able to navigate all the way through the “Backup” folder hierarchy in the Plex web interface and even successfully set it as a media source. I can then play the media files found:

By what I have read of your posts I’m sure this shouldn’t be happening.

Since you seem capable of going into /volume1,

Please show me the (ls -la) directory listing of /volume1 , specifically the part where /volume1/Backup is in the shell output.

Something / someone mucked with your permissions. I cannot recreate it

Please observe.

1. Share with Plex as No-Access
   

   

   Screenshot%20from%202019-08-11%2014-55-08859×582 26.8 KB

2. Files copied by me into into the share
   

   

   Screenshot%20from%202019-08-11%2014-55-51993×440 38.5 KB

3. Defining the music library to point to there
   

   

   Screenshot%20from%202019-08-11%2014-55-27763×553 58 KB

4. Nothing found
   

   

   Screenshot%20from%202019-08-11%2014-58-191085×460 328 KB

5. Log file showing PMS is expressly denied permission by DSM.

Aug 11, 2019 13:53:26.214 [0x7f610140d700] DEBUG - Request: [::ffff:192.168.0.12:37394 (Subnet)] GET /services/browse/L3ZvbHVtZTEvRGVtbw==?includeFiles=1 (9 live) TLS GZIP Signed-in Token (ChuckPA)
Aug 11, 2019 13:53:26.215 [0x7f610140d700] DEBUG - DirectoryBrowser: Decoded [L3ZvbHVtZTEvRGVtbw==] to [/volume1/Demo]
Aug 11, 2019 13:53:26.215 [0x7f610140d700] ERROR - Error listing directory [/volume1/Demo] - boost::filesystem::directory_iterator::construct: Permission denied: "/volume1/Demo"
Aug 11, 2019 13:53:26.215 [0x7f611949d700] DEBUG - Completed: [::ffff:192.168.0.12:37394] 200 GET /services/browse/L3ZvbHVtZTEvRGVtbw==?includeFiles=1 (9 live) TLS GZIP 1ms 429 bytes (pipelined: 7)

Are you editing the permissions for user Plex or the share’s permissions?

Don’t edit user Plex (which is what your screenshot seems to be showing)

Edit permissions at the Per-Share level. Control Panel - Shared Folders

Hmm… I was editing permissions on the plex user level as it was more convenient than going into each share separately. Aren’t these both achieving the same thing?

Either way, I reset the settings on the user level to no selection, and then set “no access” to “Backup” on the share level as you suggested. I then rebooted and added the source to Plex as before (this time with a different subfolder) and got the same result as above - Plex was able to read the media and play it.

ls -la output clipped below. Let me know if you want an expanded view. Thanks again for your help with this.

I think I may well have found a solution to this problem - nothing to do with Plex. It turns out that some of my shared folders hadn’t been converted to use ACL permissions, so the “per-user” permissions that I’d been applying were having no effect. What was confusing things is that some of the folders were using ACL - I guess they were the ones that I’d added more recently and the older ones were the non-ACL. Note in the terminal output above some of the folders have a “+” after the permissions and some do not.

Some info here: https://github.com/SynoCommunity/spksrc/wiki/Permission-Management#enable-acl-support

So apologies for wasting your time with this @ChuckPa - you did get me on the right track though!

PMS doesn’t use ACL permissions.

DSM asserts database-driven permissions in the RAID volume access manqager.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.