Should I use setfacl to give plex access to media/content or change the linux user that plex runs as

All of my media content is in /home/media and owned by media:media. By default, PMS runs as plex. I have three options for making sure PMS can see content:

1. Use setfacl to give plex default access to /home/media (permissions - linux/setfacl - Set all current/future files/directories in parent directory to 775 with specified owner/group - Server Fault)
2. Change the user that PMS runs as from plex to media (Customizing your Plex configuration)
3. Change all my media content ownership to plex:plex

I’m curious what folks think/feel is the best option?

I don’t want to chmod anything.

For the record, media:media is not my main user. I have another user for that. media:media just has the media content stuff.

Better solution: Move your media to a different location. anything in /home is going to cause long term headaches. create a new /multimedia directory or similar and move it there.

In my case, having my media in /home won’t cause an issue.

Even if I move it to a new path, I still have to figure out how to give plex access to it.

Do you use the media user for anything else other than to own the files? Because if that’s the case just remove that user and chown that whole home directory to be owned by plex:plex instead.

Thats what they all say, Just dont do it.

The issue is how Linux deals with permissions and will sometimes just reset/remove them.

That’s the ID all my downloaders use. I could, I suppose, have them use plex.

Can you give me an example of an issue I might have? /home/media is only used by media downloaders and Plex. media and plex have no access to anything outside of /home/media. So what could go wrong?

I basically mount my big disk (4 TB) as /home so all my user files are created in it. This is because I have some automatic backups of my big disk.

Often Linux will change permissions/block access to files in other /home folders. This could be during an OS upgrade/update or just random. Ive seen it happen fairly frequently in threads on this board.

There are ways to mitigate that, but those can cause additional issues (See threads about constant scanning).

@dbirch So I didn’t share the full story cause I didn’t wanna create confusion. I know my setup is a bit absurd but I have my reasons (below).

• My daily driver is Linux (Debian + KDE)
• My OS is installed on a 256 GB SSD NVMe
• /home is a 4 TB SSD
• (There is a regular job that backups everything in /home to a few places)
• My main user on it is me:me (1000:1000)
• Plex is installed directly on the box running as plex:plex
• I have created a folder /home/media owned by me:me
• All of my media/content is in /home/media
• I have media VM running on it
  • The VM has one main user: media:media (1000:1000)
  • I’m using a filesystem share in libvirt to share host:/home/media with the VM such that vm:/home/media is actually host:/home/media
  • The media VM is where all my downloading happens
  • The media VM does everything as media:media which is 1000:1000
  • This means when the media VM downloads something to vm:/home/media, me@host (also 1000 can access it via host:/home/media.
• I don’t want Docker/containers
• I don’t want to buy another computer
• I don’t want to run all the media downloader stuff on my bare metal

Everything works great. The only issue was how to get plex access to /home/media.

Have you considered ----

1. In the VM, you set perms “755” (which mask to 644 for files)
   -and/or-
2. On the native host, you set setgid inheritance (‘g+s’) and set it the first time
   – From that point forward. anything written will receive permissions of the parent (which you’ve set)

FWIW: I hate docker. I do use LXC. The power of a full host without the overhead of a VM

Using setfacl should be perfectly acceptable in this case. The example you linked applies permissions specifically for a group; however, you could instead set them for just the plex user by using u: instead of g:. I generally use that form unless I know for certain that either I’ll never add any additional users to the specified group or, if I do, that they should also have access to the resource.

Damn you. I had not considered that before. Now I’m tempted to look into it.

One of my issues with Docker is it mucks with iptables. I will look into LXC.

Yeah. That’s what I’m gonna do I think. And yes, I will do it just for the plex user.

I would look into LXC.

If an old dinosaur like me likes it and can use it – it must not be that bad

Not to contradict others – FACL is not “linux” (even though it got added …yuck)
UID/GID & groups – the only way to do it

And yet you went ahead anyway .

Sometimes the best solution isn’t to do what you’ve always done, but to use the most suitable tool available to you for a specific task. ACLs have been present in Linux for more than twenty years at this point; learn to use them or don’t. They’re very expressive and granular, and suitable for some situations where traditional ownership and permissions just don’t work. For example, allowing access (or specific types of access) without changing user/group ownership.

Isn’t that my job?

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.