Proper Permissions & Ownership for Synced Directories on Linux Machine

Plex Media Server Desktops & Laptops
1

I am very inexperienced when it comes to using a command-line interface, Linux, and the concept of file and folder/directory permissions (among many other administrator-type things).

I have a server machine running Ubuntu Server that I used in the past to run game servers, and I would now like to put a Plex server on it for 24/7 access to my media library.

Every time I want to do something new with that machine, I research online, try to make sense of what I find, and write out all the steps I take so that I will be able to easily repeat them in the future. I just like to get things running and then leave it alone – I don’t have a good brain for command-line computing. I basically write a script (instructions) for myself to follow to set things up, and then follow that script every time I need to do it again. …But it’s OK, because I wasn’t trying to impress you anyway!

This time around, in addition to writing instructions for installing the Plex server, I am also adding instructions to make the machine as secure as possible. This includes establishing proper directory permissions, and I just can’t wrap my head around how it works and what is the best thing to do.

I had initially planned to restrict access to the Plex media directory to just my own user account, but now I am thinking that would block Plex and other programs from accessing those media files. I am not sure how exactly permissions work. If I run a program myself, does it have permission to access all the same files and directories as my own user account? Or do I need to run it with “sudo” privileges? What about a program/service that runs on its own at startup?

In at least one guide I found online for installing Plex, the author said I need to change the owner of my media directory to the user named “plex”, and also all of its subdirectories (by running sudo chown -R plex: [media directory] ).

I am afraid that if the “plex” account is the owner of the entire media library, I will no longer be able to access the media files and subdirectories myself, nor will other programs.

I previously used a program called “Syncthing” which worked really well for syncing files and folders/directories between my PC and server machine. Syncthing would be perfect for my Plex media library – I could just add files and folders to the media library on my PC and they should automatically appear on my server machine via Syncthing. And vice versa. It’s like Dropbox minus the cloud storage (and thus no storage limit other than hard drive size).

I am worried that if I change the ownership of my media library to the “plex” user, as it said to do in the guide I found, Syncthing will not be able to sync the files and directories, nor will I be able to access them myself. …But I really have no idea how any of this works and haven’t tried it yet. (I don’t even have an organized media library yet, nor have installed anything yet. Still writing my instructions.)

I suppose I could set the permission of the media directory so that ANYONE has full permission to access its contents, including Syncthing and myself, but my research seems to indicate this is not a good idea in terms of security. I don’t know what permission level is appropriate for the media library directory – I had initially figured 700, to restrict access to the owner. But if Plex, Syncthing, and myself all need access to the directory, and just “plex” is going to be the owner, I am not sure what to do.

I don’t even know if Syncthing has its own user account by default, like Plex apparently does, which I could perhaps put into a group with the “plex” user and then somehow give that group ownership of the media library directory. But then would I be able to access the contents myself, since my own account is no longer the owner, or do I need to add myself to the same group along with the “plex” user and “syncthing” user?

Or, will I be able to access the contents of any directory I don’t own by typing “sudo” in front of cd, or when running a program that needs to access those folders? Or does my account have special privilege already, without typing “sudo”?

If I use “sudo” when I run a program, does that give it access to any directory on the machine? Is that a wise thing to do? What about programs/services that run at boot – how to I ensure they have access to a directory that is not owned by the program’s own user account?

Furthermore, I don’t know what happens with newly added content AFTER the “plex” user becomes the owner of my entire media library and all its subdirectories. Every time I add new content to my media library, which would normally be via a Syncthing transfer from my PC, do I have to “chown” that content to the plex user again, every time??

There are clearly some basic thing(s) I don’t understand about file/directory permissions and how they affect the operation of programs, and I am having a hard time figuring it out on my own.

My goal is simply to maximize security or follow best practices while allowing Plex and Syncthing to run smoothly, and to be able to access the media directory and files myself when necessary.

I could probably tinker and figure some of this out for myself, but I don’t have a clear sense of what I am doing. And I don’t know what is best practice, what is normal to do, or what potential problems could arise down the road from my decisions.

I’d just like to get it right the first time, set it, and forget it.

It should be an awesome setup, using Plex with Syncthing.

I appreciate any help. Thank you!

2

You have said many things in this post and, unfortunately, have been reading some very bad advice from people who do not themselves understand Linux. This having been said, 90% of them are useless and/or just wrong.

Let’s set some basics.

  1. Linux is strict about permissions.
  2. Linux will not let another user (e.g. Plex) see/touch your files unless you allow it nor will it let you see/touch its files without being expressly allowed.
  3. Each username on Linux is isolated from other other usernames unless configured otherwise (permissions set to allow sharing of files)
  4. The media is your media, it’s not Plex’s media. You OWN it. Plex gets to READ it.
  5. Linux permissions work in 3 classes: Owner-Group-Everyone
    a. As owner, you typically get to do anything you want (R/W)
    b. You, as owner, specify what you want those in your user Group to do. Since most Linux systems are single user, this is largely unused so it’s free to use if you want for something like DVR
    c. Everyone else can do what you allow. In Plex’s case, it only needs to READ the media. This falls into the “Everyone” class.

Since this is all new to you, I suggest you take small steps.
We will help you with Plex on Linux while you’re learning Linux.

How you set your media up is very simple:

  1. First and foremost, have it accessible to you with you as the owner. You have full, unrestricted access to your media.
  2. Next we grant user plex permission to read all the media.

Gnome Nautilus (the file manager) causes the most problems for new users. Unless handled by the system, it mounts all disks found under /media. It also makes everything found exclusive access to you (Plex can’t access it). Knowing this, you must make your media available elsewhere.

I mount NAS media on /nas and local disks on /disks.
I set those permissions up and then all is good.

Generally:

  1. Make required directories under /disks or /nas
  2. Setup the mounts and activate them in /etc/fstab
  3. With all active, set the permissions. (using my configuration as example)
    a. sudo find /nas -type d -exec chmod 755 {} \;
    b. sudo find /nas -type f -exec chmod 644 {} \;

Now you have permission to RW without interference (the 7 and 6 values.
Plex has permission to read directories (5) and files (4).

3

Thanks!

Just to make sure my understanding is correct, here is my interpretation/analysis/summary of what you wrote:

  • In my case, I plan to keep my media library on a second internal hard drive. I should manually create a directory on the primary drive for mounting the second drive, instead of using the one automatically assigned by Ubuntu, so that I can control permissions manually. Your recommendation is to create a directory named “disks” in the root directory and then mount the drive to a subdirectory within that directory. And then edit the “fstab” file to allow automatic mounting at boot.

  • I should keep myself as the owner of the Plex media directory and all of its contents – NOT change the owner to the user named “plex” – because I can simply grant read permissions to all users including plex.

  • For the media directory and all subdirectories (excluding files), I should grant “read” AND “execute” permissions (together represented by the number 5) to all users (plex included), but NOT “write” permission. (For directories, “read” permission means the user can view the contents of the directory, but not open/modify/create/delete any files; and “execute” additionally grants permission to read file contents and metadata but not modify them.)
    The command for this is:
    sudo find /disks -type d -exec chmod 755 {} ;
    (assigns myself full control of the “disks” directory and all subdirectories, and everyone else read/“execute” access)

  • For the actual media files, Plex does not need “execute” permission, nor do I need it myself, so I should grant only “read” permission to all users (and additionally “write” permission to myself).
    The command for this is:
    sudo find /disks -type f -exec chmod 644 {} ;
    (assigns myself read/write access to all files within the “disks” directory/subdirectories, and everyone else read access only)

Notes:

  • I posted similar questions on the Syncthing forum, and it sounds like Syncthing can be used with its own user account (similar to Plex or perhaps any other program), but the “syncthing” user is not necessarily created automatically. Apparently it depends how I go about installing it. I will research this further.

Questions:

  • Every time I (or Syncthing) adds new media files and directories to my media library, will I have to repeat the two commands listed above to modify the permissions for the new content?

  • It seems that if I run Syncthing manually, it inherits my user status and thus my owner permissions. Is this correct? (Is that true of any program run manually via the command line?) Since Syncthing will require write access for my media library, I need to have a way to give it write permission.

  • Does running a program with the “sudo” command have any effect on the program’s ability to access restricted files and directories? (Just curious.)

  • If I go with your suggestions of giving “everyone” permission 5 for directories and permission 4 for files, will the lack of write permission block Syncthing from being able to sync files to my media library? (Unless I started Syncthing myself from the command line?)

  • By giving “all users” permissions 5 for directories and 4 for files, is that sufficiently secure? I don’t necessarily want “everyone” to be able to read my media files, but I am the only human user on the machine. I assume my system would need to be hacked (or physically compromised) in order for someone other than me to read the files, despite having allowed read access to “all users” – correct? Because the system appears to require someone to log in with a user password before they can do anything else on the machine… correct? What if the hack is conducted via a breach in one of my active servers?

  • In the event that my system IS hacked, is there any value in having more strict permissions on those files as an additional obstacle for the hacker? (For example, putting permission 0 for everyone, and then giving a plex / syncthing group read access to the files/directories, or something along those lines?) Or would it be useless to do so; if my machine is hacked, does that imply that the hacker already has access to my owner privileges and/or sudo privileges, and therefore me having restricted file/directory permissions would not pose an obstacle?

  • My last question is: When Ubuntu is used to change ownership of files and directories on a drive and/or change permissions, and then I remove that drive and connect it to another machine, do the owner and permissions still apply on the other machine? For example, if I pull out the drive and connect it to my Windows PC, will I have any trouble accessing the contents? (If I remember correctly, sometimes when connecting a drive from another Windows PC, I am prompted to give administrator permission to allow myself access to the old user’s files on that drive. Will something like that happen?) I plan to use the NTFS file system on the partition that will contain the media library, and I’m just not sure if file/folder permissions are recorded in the NTFS file system or in the Ubuntu operating system, and am not sure if they carry over when the drive is moved to a new machine.)

Thanks again!

4

In light of your security concerns,

  1. Create a “media” group who will have access to the media.
  2. Add yourself and Plex to this group
  3. If you want other programs to have access (which run under separate usernames), add them.
  4. How to control the permissions and have it self perpetuate (which you saw immediately), is problematic unless you use SUID and SGID bits. This is an incredible capability of the kernel and from what I can tell by your questions, will solve the maintenance issue.
  5. Other machines won’t know about UID/GID unless you so assign them.
  6. Use of NTFS negates any sense of security/access control. The kernel’s NTFS driver presents all files with 777 permissions. The best course of action here is to convert NTFS drives to ext4 and present those directories to the network as SMB (Samba) shares if remote access is needed.
  7. Lastly, if your system is hacked, you have a bigger fish to fry. Which barn door did you leave open? Linux can and does support thousands of concurrent, individual users with absolute security (no one user can see another). The supercomputer system I used to use had some 15,000 concurrent users. For another user and I to share files still required permission from the administrator. He had it locked down that tight. Windows has no such concept. If you have the access to the machine, everything in it is yours. It doesn’t even support more than one user signed in at a time.

Please ponder what I’ve shared. I’m sure I’ve left some things out and introduced other points.

5

Thanks Chuck. Very interesting about NTFS.

  • To keep it simple, perhaps I do not need to be worried about restricting permissions on my folders at all. I am the only human user and always will be. With only one human user account, is it correct that the only way ANY files could be accessed is either by logging into my account or via a hack?

  • If my machine is hacked, do file/folder permission restrictions provide any protection anyway? If not, perhaps they are unnecessary. I don’t really have a sense of what “hacking” entails – perhaps exploiting a security hole in one of my game servers or other servers? I am setting the firewall to “default deny” incoming traffic and only allowing my servers through.

  • The second hard drive is a brand new drive with nothing on it, so I could easily format it as ext4. But I read that ext4 may cause problems if I or a family member wants to connect the drive to a Windows machine in the future to access the contents. They may not know they need a third-party program to read ext4 in Windows.

I am wondering if file/directory permissions are of any use at all in my case, since I am the only human user. I don’t need to worry about protecting my files from other legitimate users, because there aren’t any. My only concern is buttoning things up as much as reasonably possible for the possibility of a hack. So I’m wondering if file/directory permissions would do anything to stop a hacker who has already gained control of the machine.

It looks like there might actually be a way to mount NTFS with permissions, described here:
https://wiki.epfl.ch/icit/kb/linux-mount-ntfs-with-permissions
but maybe I don’t even have to worry about it.

6

If you are the ONLY user (which most are),

  1. Take a breath
  2. Relax
  3. Take another breath.

Running Linux isn’t like running windows where you get hacked all the time. The only Linux hacks I know of are 100% targeted for a specific system and it had to be run as the administrator. That’s the beauty. As a normal user, you can’t hurt it.

Go ahead and use Inheritance as I show. It takes the drudgery out of maintenance.

Relax, and Enjoy.

7

Thank you for dispelling my misconceptions! If Linux is unlikely to be hacked, I probably do not need to worry about permissions because I am the only human user, and can just use NTFS on my media drive without permissions, for convenience. That appeals to me more than trying to figure out how to create a syncthing user and trying to keep track of file and folder permissions. Simplicity has value in my case.

Here is a link to my post on the Syncthing forum, for any readers who are curious:

8

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.