When someone install the Plex Media Server (PMS) inside Synology DSM it automatically configure an account called ‘plex’. What are the bare minimum access rights needed by this account to work properly? Does it need admin role or just user role? Can I set NA to all folders other then ‘/Plex’ and ‘/media’, the first one being the PMS install folder where all the files are stored and the second being the folder where I store all my media (series, movies, animes, etc)?
Perhaps I should just create a new role called ‘Plex’ and allocate the ‘plex’ account there setting all the rights/blocks needed, other than having this account inside user role? This would make sense as my user role allows R or R/W on a bunch of folders and Applications access that don’t make sense for the ‘plex’ user.
On a last note, what does this ‘plex’ user do, what is it used for?
User “plex” is just a user. There is no need to do anything special for Plex to run on a Synology NAS other than give user “plex” permission to read your media shares.
The Control Panel gui which gives share permissions may/ may not let you grant read-only via ‘custom’. you’re completely safe to use Read-Write if you don’t enable 'media deletion" in the server itself.
What it does, it’ just a 'dumb, non-privileged, user account to run the server on (as a service app). Nothing more… It can’t be logged in to.
@ChuckPa said:
User “plex” is just a user. There is no need to do anything special for Plex to run on a Synology NAS other than give user “plex” permission to read your media shares.
The Control Panel gui which gives share permissions may/ may not let you grant read-only via ‘custom’. you’re completely safe to use Read-Write if you don’t enable 'media deletion" in the server itself.
What it does, it’ just a 'dumb, non-privileged, user account to run the server on (as a service app). Nothing more… It can’t be logged in to.
So, the plex user don’t even need R/W on /Plex folder, just my /media? When I put some new media files inside /media PMS starts scanning and adding subtitles, titles, background, etc, the one who is writing all this data on disk is plex user, right? Also, where this data is stored, inside /Plex or /media?
DSM CP allow me to set those custom rights without problems, I’ll set R/W on /media, I just want to set NA to all other folders and remove any Application privileges, because that makes more sense for me.
Regarding media deletion, I saw that option but didn’t quite understand it, it says “The owner of the server will be allowed to delete media files from disk.” – what the Server means by owner, is it the plex user?
You (your plex account name), when you are signed into your Plex.tv account. when signed in then you are the ‘owner’. If you sign out and back in as someone else, or don’t sign in at all, then you can’t delete the media, even if deletions are enabled.
Plex will keep it’s “Library” in the Plex share. EVERYTHING Plex knows about your media is there.
The folders (/volume1/sharename) you give it? Those are read-only unless you granted yourself the permission to delete ^^.
The user ‘plex’ is only to satisfy the Linux requirement for a username. Linux is a full multi-user system with proper multi-user security. This is why you have the ability to control access so easily. (it’s also an annoyance at times in that you have to remember to give permission too)
@ChuckPa said:
You (your plex account name), when you are signed into your Plex.tv account. when signed in then you are the ‘owner’. If you sign out and back in as someone else, or don’t sign in at all, then you can’t delete the media, even if deletions are enabled.
Plex will keep it’s “Library” in the Plex share. EVERYTHING Plex knows about your media is there.
The folders (/volume1/sharename) you give it? Those are read-only unless you granted yourself the permission to delete ^^.
The user ‘plex’ is only to satisfy the Linux requirement for a username. Linux is a full multi-user system with proper multi-user security. This is why you have the ability to control access so easily. (it’s also an annoyance at times in that you have to remember to give permission too)
Oh ok, so whoever is logged in would be the owner and would be able to delete the media within PMS Web GUI, but under the hood the one who is doing the rm -rf media-file is the plex user, right?
My /media folder is R/W for plex and my admin account (so that I can actually put the media files in there…), users have only R access to it, because there are times they would need to access the media files directly and not through PMS Web GUI, I’m working on that so they won’t need to do this, hence I would set NA inside /media for everyone but admin role and plex.
If under Settings - Server - General, the server is Logged-in with JCChristian’s Plex username/password, JCChristian is the owner.
Then later, if User JCChristian (same user/password) comes in and commands something, Plex will acknowledge him as owner.
I went so far as to make shares for movies, television, and music. I gave myself (the user) full read write. I disabled the primary admin after I created a secondary administrative user, like myself. It makes the box more secure and gives an alternate way to get in if we every bork our credentials / get locked out
With this as my base: I own all the media (R/W), Plex has R-only, co-administrative user has R-W (since it’s me anyway).
I did a small testing and didn’t quite get the result I expected. I set R-only for ‘plex’ inside my /media (where I have folders for Movies, Animes, Series holding my media files) and then proceeded to delete a test movie using PMS Web GUI and it worked, I expected to get some kind of error as the plex user had only R access. User ‘plex’ rights attached.
Please be careful. DSM get’s VERY fussy and starts doing VERY STRANGE things we don’t expect when we try to strong-arm it in a logical manner
For initial configuration. I really suggest you leave plex as regular user. There is no harm in this even for long term. Most of us just “Load and go” and have no trouble with it. It’s a VERY well-behaved application
If you really want to get definitive control, which I think is what you want. Let the GUI think permissions are read-write and Plex is ‘just another user’.
I’ll show you how to get down to your media and do it “The Linux Way” and that will definitively be that. Your media will be secure. There will be ZERO question about access
Finally I got the error I wanted. It seems PMS Web GUI (:32400/web/index.html) uses the currently logged-in DSM user, when I did the previous testing I was logged-in with my user inside DSM, the one who have R/W on /media, hence I could delete the movie. I then tried to do the same but now using Chrome Incognito mode to avoid any cache, I proceeded to PMS Web GUI, logged-in with JCChristian and then tried to delete the same movie, this time I got the following error, the one I indeed wanted to see
Now I know how things work, but I don’t really agree with it, I believe that the PMS should use ‘plex’ user to delete and not the currently logged-in DSM user.
My bad, I tried again now with my user logged-in and still got the error, I then checked and ‘plex’ had R-only inside /media, it seems the first time I did this (yesterday) there was some cache or delay involved and even after I set R-only I could delete, but now it’s working totally as intended, the one who indeed remove the files is ‘plex’, hence it needs R/W inside /media, and it doesn’t matter if you’re logged-in with admin/user/etc, only ‘plex’ user matters.
In short:
‘plex’ with R-only: will be able to play the media
‘plex’ with R/W: will be able to play and delete media
Phew, I’m not crazy and things are working as intended!
I’m happy to say that it seems all the issues are resolved and anyone looking forward to “harden” their Synolgoy NAS security regarding Plex can come here and find it. In the end it’s pretty easy, just leave R/W for /Plex and /path-to-media-folder while setting NA for all other folders and Applications
Didn’t find anything Plex related in there and I did some search on the web regarding it and couldn’t find anything useful. Well, it doesn’t matter anymore if it’s there or not as the issue is resolved, at least people will have another place to find the solution
