Plex user is a "real" user...

server-linux

#1

I have a Ubuntu NUC which I just use as a Plex server, and when I installed Ubuntu on that I created a user named "plex", which is a full fledged user with home folder, login etc. When I installed PMS of course the plex user was used as the user for PMS, but now I read that in the standard installation the plex user doesn't have a home folder in the /home path and doesn't have login.

Do you think I might have issues (security?) with my setup? It was quite convenient because I didn't have to fiddle with users and groups to access my data, being the only user of the server and logging in as "plex" user when I need to work remotely on the files. Oh and when I say "remotely" I mean from a ssh shell in my local network, I don't have plex remote access or ssh outside my home network enabled.


#2

If there is no access to your network from outside your home, that pretty much answers the security concern. The only issue with both having the name 'plex' (case sensitive) can come when the UID (user ID) and GID (group ID) associated with each also match.

You may use any username, including your normal username (just like I use 'chuck') to access and manage all my media files. The key is permissions. In Linux, it is very easy to make it so both you and Plex have the required access. I use my username 'chuck' to go to all of my machines. The file permissions I have defined let me work on anything, without needing 'root' access that I normally need to. There is no danger of me messing up Plex or any system files (default linux security is doing its job).

The two important points to remember here are:

  1. You own all the files and can do anything as needed
  2. Plex can read anything it needs to play your media

To make this happen (you may need 'root' one time to complete this but never will again). I will write the sequence as if you do need 'root'. Skip it if not necessary

sudo chown -R  your_username:your_groupname /each/top/level/media/dir

find /each/top/level/media/dir -type d -exec chmod 755 {} \;
find /each/top/level/media/dir -type f -exec chmod 644 {} \;

In practice, for me, this would be:

sudo chown -R chuck.chuck /syno/movies /syno/tv  /syno/music
find /syno/movies /syno/tv /syno/music -type d -exec chmod 755 {} \;
find /syno/movies /syno/tv /syno/music -type f -exec chmod 644 {} \;

#3

Thank you for your answer, so if I'd decide to turn on remote access, I should change the plex user disabling the login option and create a new user for ordinary maintenance... or I'll just re-install Ubuntu (maybe the fresh 16.04 LTS) and do it the proper way :)


#4

If you do decide to enable remote access, I would do things the proper way. That said, you don't need to create a new user or reinstall ubuntu.

If you want to change the text name, this is ridiculously easy >:)

as root, edit /etc/passwd and change the text name field and the home directory field... then change the directory name to match the new name and reset its password.

example:
sudo gedit /etc/passwd

sudo mv /home/old_username /home/new_username

sudo passwd newuser
__enter_new_passwd_at_prompt


#5

I see, but a user named plex is still necessary (or is it not?), and default location of its home folder should be in /var/lib and not in /home... On the other hand if I want to remote ssh to my server then my user, be it named plex or whatever, will need to be able to login anyway. Oh well it's just speculation, with my <1Mbit upload speed using plex in remote is not a priority :D


#6

Yes, A user named 'plex' is required on the Plex host. That's why one is created. It's purpose is, by being a no-login account, to be the equivalent of any of the other daemon processes which run in Linux. They also have no-login status but have a defined username (makes debugging and security easy)

Yes, the default location is currently /var/lib. Putting it in /home/plex would a) imply login capability b) make it far too easy to wipe the database or otherwise lower the innate security level.

If I may recommend what I do:

  1. leave Plex as it is
  2. Move /var/lib/plexmediaserver to somewhere else ONLY if /var is very small on that machine (even a NFS location is doable)
  3. If I need to go into Plex's area and modify something, I do it as root.. As myself, I can read everything already
  4. Setup whatever ssh accounts you wish, but try not to use the name 'plex' or 'Plex'.. It really is asking for confusion/issue down the road. An example being on a Windows platform with user "Plex".
  5. Rely on traditional user/group/world permission bits to grant the appropriate level of access you need. They are the standard and have worked for a very long time.

#7

What you outlined is exactly what I'd do if/when I'll have some time to dedicate to my server. Why do you say that having the plex library in /home/plex makes it easier to wipe the database? You mean if I do it by mistake while being logged as root? Actually I like the idea of having the plex folder away from /var/lib, that way If I need to reinstall linux I can ask it not to format /home folder, so it might be less easy to wipe it that way


#8

If you're indeed coming at this from the 'reinstall linux' perspective, your point is completely valid. If I were to do that, I would do the following just in case I let something obnoxious into my system.

With Plex stopped;

  1. make and give ownership to plex for /home/pdir
  2. cd /home/pdir; (cd /var/lib/plexmediaserver ; tar cf - ./Library ) | tar xf -
  3. remove the other Library under /var/lib/plexmediaserver since it's all under /home/pdir/Library
  4. create a bind (cross-mount) in /etc/fstab to make it look like it's still mounted at /var/lib/plexmediaserver /home/pdir /var/lib/plexmediaserver bind defaults 0 0

(Note: some systems seem to want 'none bind' and not 'bind defaults'. Fedora likes what i have)

  1. test the mount with 'mount /home/pdir' then go look in /var/lib/plexmediaserver
  2. if all is good, restart Plex.

Having gone through all that, why not have cron simply back up the database (using tar) and put it in your home dir on a weekly basis. Which is the ultimte 'reboot' or OOOPS protection :)

The crontab entry for root would be:

# Weekly backups (Sunday, 3:05am local)
5 3 * * 7             $Home/Backup-Plex >> $Home/weekly-backup.log 2>&1

The script $HOME/Backup-Plex (located in /root) would do the work

cd /var/lib/plexmediaserver
tar cf /home/yourusername/plexbackup.tar ./Library
chown yourusername /home/yourusername/plexbackup.tar