Plex Media Server security changes for Synology users

Community Announcement - Synology users - Security update.

Server Version#: Plex Media Server 1.15.4.994 and above

By popular customer request and to improve the safety of your media, we’ve made a small but visible change to what PMS can do on your NAS by itself.

We have removed user plex from the administrators group. This was a holdover from DSM 5.2 when it was required for PMS to run properly on the NAS.

Now, with DSM 6 and above, this is no longer required.

By doing so we’ve lowered Plex’s privilege level back to that of any normal username on your Synology. You, as administrator (admin user), are in full control over those share(s) PMS can access and, consequently, must grant all access permissions to your media via the Control Panel (Shared Folders) app.

The benefits are:

• User plex is a normal user, just like any other user account you create in DSM. No special privileges of any kind with exception of being a member of the video group so it can still access Hardware Accelerated Transcoding on those Synology models which support it.
• Your media now has an extra layer of protection from accidental deletion / modification.

The repercussions of this change are:

• Plex will no longer be an administrator. While it never actively used that capability, it had the privilege.
• Any share which previously had access through the admin/administrators connection, need to have correct permissions assigned. Your media in those shares is Unavailable until you grant permission again.
• Those customers who unwittingly did make use of this privilege level, now find themselves with “Permission Denied” errors or see Unavailable as well as the inability to access their media shares in Plex (DVR, etc)

What you need to do:

1. Open Control Panel

2. Click Shared Folders

3. Do the following for each of your media shares

• Highlight one media share
• Click Edit
• Click the Permissions tab
• Check the box for Plex and give it access to the share at whatever level you like.
• Save the changes.
• Now repeat the above sequence for each of your media shares in use by Plex.
• Upon completion, restarting Plex makes certain it sees everything correctly and no secondary issues exist.

4. After upgrading PMS to this version, Restart your Synology NAS when complete. This allows DSM to reset user Plex where it belongs. Before restarting, you can edit the permissions (as shown above) so Plex starts cleanly at reboot.

To explain the permissions needed depending on how you use Plex:

R/W (read/write) lets PMS (DVR and media optimisation) write into your media folders.

R/O (read only), only lets Plex read your media. This is the safest and best practice.

When you install PMS 1.15.4.994, you should see this image for each of your media shares. Plex has no permission to the share.

Default-DSM-Permissions-Upon-Plex-install861×581 25.8 KB

Setting Read-Only is the safest practice.

Plex-Permissions-Read-Only868×576 25.3 KB

PS: I apologize for the update having been released before this announcement and any inconveniences it may have caused.

Additional benefit to using Read Only media shares.

By leaving your main media library as Read Only, only you can change them. Plex cannot touch them in any way.

This only seems problematic at first should you want to optimize the media or have a place to store temporary DVR recordings.

Since Plex allows multiple folders to be included in a library section, the solution is quite simple.

1. Leave your main media library as Read Only
   a. Nothing can delete your media except you
   b. Even if you enable media deletion in Plex, Read Only shares cannot have content deleted.
2. Create an Optimized or Recordings share
3. Give user Plex permission to Read/Write this new share.
4. Add this new folder to your existing list of folders for the library section.

Now, when you optimize a movie, point Plex to the “Optimized/Movies” folder.
Your original is held pristine. Your Optimized is separate.
There is never any danger of a TV or device app deleting your master copy.

Here is how it looks.

1. Shared folder Optimized
   

   

   Screenshot%20from%202019-05-10%2016-31-04865×573 26.7 KB

2. Movies folder in it for optimized movies to be stored.
   

   

   Screenshot%20from%202019-05-10%2016-30-34910×550 25.5 KB

3. Permissions of your master Movies share
   

   

   Screenshot%20from%202019-05-10%2016-31-29865×575 25.8 KB

4. Bringing it all together in Plex
   

   

   Screenshot%20from%202019-05-10%2016-25-41732×540 29.8 KB

Please don’t hesitate to ask if you have any questions about how to use this to your advantage.

12 May 2019

The feedback received thus far about this change indicates the reasons for it remain unclear.

Some problems faced by customers and reported to Plex were:

1. Clicking delete from a Plex application (on the TV for example) would result in accidentally deleting the master version of the media instead of the optimized one because both master and optimized were co-located.

2. Security & privacy minded customers were uncomfortable with Plex ‘having free reign’ to all files on their NAS. While this privilege did exist, Plex didn’t know what to go look for unless the shared folder was listed.

3. DVR-recorded content being written adjacent to the original/master files for that content resulting in mixed resolutions, quality levels, and sometimes languages.

Analysis of the reports above, followed up by discussions with those impacted customers, concluded:

1. Customers needed a way to help them protect their media from those they shared with as well as their own ‘fat fingers’ in those moments media was deleted. This provided by “Read Only” permission for the particular media shared folder.

2. Addressed and accommodated the security concerns by removing the final piece of DSM 5.2 backward compatibility from the package installer.

3. Supporting the curation of media could be made easier and cleaner by supporting and enforcing a “master copy goes here and optimized version goes there” structure for those who wished it without impacting those who have no need or desire to manage their media in this manner. This is now possible by having ‘split’ shared folders; one with R/W and one with R/O permission and listing both the R/O and R/W folders in the list of folders used for the library section in PMS.

Lastly, input from our customer support team showed where some customers were uncertain how to best use the NAS for their media. While everyone can use it however they deem appropriate, some common elements were observed:

• Is it ok to put files in the Plex share? (a common mistake)
• Should I put all my media in the same folder?
• How do keep my stuff from being deleted but still be able to delete the DVR recordings ?

This brings us to the last visible change in PMS 1.15.4.994 on Synology (aside from Plex features themselves):

Everyone will find six (6) zero-length files in the Plex share. These files are a reminder to not place media in that share.

The share is intended for Plex use only to store your media metadata. By making this share visible in File Station,

• Provide easy access to create a ZIP of the Logs directory for diagnosing those extreme cases where PMS won’t start.
• Making a backup of your Plex metadata is easily accomplished by making a ZIP file of the Library directory at the top level when PMS isn’t running.
• Diagnosing difficult problems is easily handled by saving the current configuration (Library), renaming it (Library.keep), and creating a new temporary test server instance. When all has been resolved, the original can be safely restored without ill effects.

This How-To is still in draft form and may need slight corrections but details how to use split-folders when optimizing media

Media previously optimized as well as freshly optimized media can be intermixed safely as long as the original library section boundaries are preserved.