File Permissions Issue with Plex Docker - LinuxServer.io [SOLVED]


Recommended Posts

I asked this of one of the Plex Docker forums and no one has been able to come up with an answer so hoping it will make sense to someone in the greater community here.

 

I use the DVR function in Plex, and it creates video files on unRaid.  If I try to delete one of those files from my PC, it denies me access claiming I need permission from the user "nobody" to delete the files.  (see image below)  If I run the "new permissions" utility I can delete/move those files, but seems crazy to have to do that every time.

 

I just migrated my Plex installation to the Linuxserver.io docker.  Previously I did not have this issue under the other docker and could freely move or delete these files.  I do seem to remember having a similar issue a few years ago when I set up the DVR and have no recollection of how it was resolved and I can't find any thread on here for the issue.

 

Any ideas on how to resolve or chase this one down?

 

Capture.JPG.819f9826fb74313061009c4b102c628a.JPG

Edited by TODDLT
Link to comment

You are going to have to provide a bit more information to us.  First,  open the GUI terminal (right side of top toolbar) and type the following command:

ls -al /mnt/user0

Now, hit the 'up-arrow' key and append the name of the User Share to this command as the following example shows:

ls -al /mnt/user0/Media

Continue down the tree/path until you get to a file that has the problem.  Then copy and paste  the line for that file in the listing that has the problem.  (Please format it as 'Code' --   </> icon at the top of the reply box.) It will look like this:

-rw-rw-rw- 1 nobody users  178259492 Oct 20  2016 Nxxxxxxxxxxxxx-Axxxx-Wedding.pdf

 

Edited by Frank1940
Link to comment
7 hours ago, Frank1940 said:

You are going to have to provide a bit more information to us.  First,  open the GUI terminal (right side of top toolbar) and type the following command:


ls -al /mnt/user0

Now, hit the 'up-arrow' key and append the name of the User Share to this command as the following example shows:


ls -al /mnt/user0/Media

Continue down the tree/path until you get to a file that has the problem.  Then copy and paste  the line for that file in the listing that has the problem.  (Please format it as 'Code' --   </> icon at the top of the reply box.) It will look like this:


-rw-rw-rw- 1 nobody users  178259492 Oct 20  2016 Nxxxxxxxxxxxxx-Axxxx-Wedding.pdf

 

Thread title amended.  The rest of this I'll have to do when I get home in about 4 hours.  

New ground for me but looks pretty straight forward.  You just need one example line for a file I know is restricting access?

 

Thanks!

Edited by TODDLT
Link to comment
5 hours ago, Frank1940 said:

Just one if all of the others are the same except for file size, file date and file name.  (You can automonize the filename if you want)

 

So I recorded a few minutes of a random TV show just to do this test.

The only trouble I ran into, is the DVR titles the folder and file name with the year in parenthesis, and apparently the above syntax doesn't like the existence of the parenthesis (2019).

 

However, just seeing the DVR TV directory the line for the newly created folder had two key differences.  1, the older folder names were highlighted in green, while the new folder was not highlighted.  2, the "rw" coding was different.   

 

This folder was created using the new plex install

drwxr-xr-x 1 nobody users 33 Jul 30 20:05 Bxxxxxg\ (2019)/

 

a similar folder that was created from the old plex installation reads like this

drwxrwxrwx 1 nobody users 52 Mayt 15 22:31 Bxxxxxxx\ (2017)/

 

Obviously I see the "write" permissions missing but not sure what the full sequence means or how to adjust.

Hope that is enough, thanks for the help! 

Link to comment
1 hour ago, TODDLT said:

Obviously I see the "write" permissions missing but not sure what the full sequence means or how to adjust.

OK, it means that no one (except for root) has permission to do anything but read the files inside.  While 'nobody' is the owner, in Unraid that means that there is no owner, The  group--- users in this case --- 'permissions' would be that  logged-in user is assigned to the 'group' for that share (The Private and Secure Share security settings will have users assign to allow controlled access to the share), the 'other' permissions are for the anonymous user. 

 

What the problem is that the Plex Docker that you are using has settings somewhere that instructs it how to assign permissions the directories and files that it creates.  And those settings are wrong for Unraid!  This problem is not that usual.  Someone should know where that setting in this Docker.  (Hopefully, someone who uses this Docker will see this thread and jump in to help out.) 

 

EDIT  By the way, google is your friend if you want detailed  information on permissions, 'owner', 'group' and 'other'.

Edited by Frank1940
Link to comment
1 hour ago, Frank1940 said:

OK, it means that no one (except for root) has permission to do anything but read the files inside.  While 'nobody' is the owner, in Unraid that means that there is no owner, The  group--- users in this case --- 'permissions' would be that  logged-in user is assigned to the 'group' for that share (The Private and Secure Share security settings will have users assign to allow controlled access to the share), the 'other' permissions are for the anonymous user. 

 

What the problem is that the Plex Docker that you are using has settings somewhere that instructs it how to assign permissions the directories and files that it creates.  And those settings are wrong for Unraid!  This problem is not that usual.  Someone should know where that setting in this Docker.  (Hopefully, someone who uses this Docker will see this thread and jump in to help out.) 

 

EDIT  By the way, google is your friend if you want detailed  information on permissions, 'owner', 'group' and 'other'.

Thanks, so this did trigger I thought.  There are values in the docker settings for PGID and PUID.   I think this stands for Plex UserID and Plex GroupID.   (P=Plex is an assumption on my part but I think GID and UID is correct).

 

They have numerical values:   PUID = 99 and PGID = 100.

 

I looked back and the older Plex Docker did not have any settings for these values.   Should I just remove the values? or should they be changed? 

No idea what those values actually mean.   

Link to comment
8 hours ago, Frank1940 said:

I am getting out of my comfort zone here.  I did google and find this thread.

 

https://forums.unraid.net/topic/39289-adapting-container-user-and-group-ids-to-the-host/

 

I suspect that your problem is with the UMASK variable...

I just took a quick scan of this.....   not exactly light reading so looks like project for tonight.  

Thanks for the info and the time to dig it up.

Link to comment
22 hours ago, TODDLT said:

 I just took a quick scan of this.....   not exactly light reading so looks like project for tonight.  

Thanks for the info and the time to dig it up.

You could also use the UMASK variable to do what I suggest in the other thread; the first bit (normally untouched) is the SET mode for the file - this can be 0 (normal file or directory), sticky, GID, UID, etc. control. 
By setting, for example 2000 it would change the first bit to "2" and then the "000" mask would translate to "666" or RW for Owner, RW for Group, and RW for anyone else. 
https://wintelguy.com/umask-calc.pl
Here's a good calculator that will calculate permissions for you as well.

I'm not sure what permissions its setting wrong - but the normal unraid permission of "0000" should work fine for SMB users to Read and Write. The SetGID bit can be useful when you wish to specify access to users in the group rather than the owner directly.
Another useful setting for the UMASK: 0003 - this would make it so that the Owner (nobody) and users in the group (users) could read and write the file - but others (anonymous SMB users, for example) would be able to view the content, but not edit or remove it.

EDIT:
If you wish you can run "stat filename" on a file that is broken, and then run it on a file that is working to identify what permissions differ, which will better help identify what needs to be corrected.

EDIT2:

I see you already posted permissions set on two files above;
          Owner         Group |  Other                                         Owner(UID)           Group (GID)

d            rwx       |   r-x     |   r-x                                        1     nobody                 users

d            rwx       |   rwx   |   rwx                                       1     nobody                 users
As you can see above - only the owner is set to have write permissions on the file created by the new installation that is "broken"
Note that the execute bit (x) is required for directories to be browsable on Linux - the "d" to the left designates this is a directory, for files this is a "-" 
Changing the UMASK to 0000 should fix your problem, as it will enable write permissions for the group and other columns.

For information on "why" this would be different; UMASK 0022 (no change to SET bit, owner read/write, group read only, other read only) is the typical default on Linux, and would result in directories being created with the permissions you are seeing above (remember - directories must have the execute bit, and it is automatically added when the directory is created.)
 

Edited by Xaero
Link to comment
On 8/1/2019 at 1:15 PM, Xaero said:


EDIT2:

I see you already posted permissions set on two files above;
          Owner         Group |  Other                                         Owner(UID)           Group (GID)

d            rwx       |   r-x     |   r-x                                        1     nobody                 users

d            rwx       |   rwx   |   rwx                                       1     nobody                 users
As you can see above - only the owner is set to have write permissions on the file created by the new installation that is "broken"
Note that the execute bit (x) is required for directories to be browsable on Linux - the "d" to the left designates this is a directory, for files this is a "-" 
Changing the UMASK to 0000 should fix your problem, as it will enable write permissions for the group and other columns.

For information on "why" this would be different; UMASK 0022 (no change to SET bit, owner read/write, group read only, other read only) is the typical default on Linux, and would result in directories being created with the permissions you are seeing above (remember - directories must have the execute bit, and it is automatically added when the directory is created.)
 

Sorry, it's taken me a few days to get back into trouble shooting this issue, just been a little busy here.  

Thanks for taking the time to explain all this and I think I'm following this correctly.  I've learned a little bit about what's going on in the background on this one.

 

So where do I put this UMASK command?  Is this a variable I should set in the docker or a command line that needs to be run every time the docker is started?  

 

Thanks again

Edited by TODDLT
Link to comment

The umask 0000 needs to be called in the docker after the filesystems are created - in whatever entrypoint script is being used. I'd file this as a bug with the LS.IO guys on github or in their support thread. You can readily prove that the UMASK isn't being set properly;

Run stat on one directory that works, and one that does not, this will show that while the UID and GID are correct the UMASK of 0000 isn't being set which makes the container inherently incompatible with unraid's share system by default, although they may push back in that this is technically "more secure" and "proper" in the world of Linux.

If that's the case, you could easily set up a userscript to add "umask 0000" to the second line of their entrypoint script, and have it run every day so that if the container updates it adds the command back in, and restarts the docker.

Link to comment
3 hours ago, Xaero said:

If that's the case, you could easily set up a userscript to add "umask 0000" to the second line of their entrypoint script, and have it run every day so that if the container updates it adds the command back in, and restarts the docker.

 

Not everyone on Plex uses the DVR, and so for most users, they probably would never see files "created by Plex" that they accessed or wanted to modify outside of Plex itself.  I'm not sure what they will say about the request because maybe it is more secure for the app data files that may be created by the docker, and not sure they can differentiate between those and the DVR created files.  

 

So all that being said, I would probably use this short term, or long if they don't make the change.  Creating a userscript that simply says "unmask 0000" would be pretty straight forward and I use a couple user-scripts.  However, I'm not sure what this script would look like to "add the line to their entrypoint script and restart the docker."  Is there a way to write a script that would run in the proper sequence at the startup of unRaid to get this setup, and why would it revert or need to be run every day or so?

Link to comment
4 hours ago, TODDLT said:

 

Not everyone on Plex uses the DVR, and so for most users, they probably would never see files "created by Plex" that they accessed or wanted to modify outside of Plex itself.  I'm not sure what they will say about the request because maybe it is more secure for the app data files that may be created by the docker, and not sure they can differentiate between those and the DVR created files.  

 

So all that being said, I would probably use this short term, or long if they don't make the change.  Creating a userscript that simply says "unmask 0000" would be pretty straight forward and I use a couple user-scripts.  However, I'm not sure what this script would look like to "add the line to their entrypoint script and restart the docker."  Is there a way to write a script that would run in the proper sequence at the startup of unRaid to get this setup, and why would it revert or need to be run every day or so?

This is still worth reporting to LinuxServer.io - as they may be unaware that the DVR functionality of Plex is creating files without a proper umask for shares.

To answer your questions regarding the UserScript - it needs to run to add the "umask" line to the docker, the docker must be running in order to execute the commands to modify the container. After which the container must be restarted to apply the actual command at startup. Running at Array start only works for the version of the docker that is installed when the array is started. If the docker is updated (either by you manually, or automatically) the change made by the UserScript will be gone. This is why it's desirable to have these sorts of things fixed upstream. There is no event that happens when dockers are updated, so there isn't really a way to just "run the script when the docker is updated" so we have to run it once per day. This is kind of kludgy and undesirable.

As far as what a UserScript "could" look like to do this:

#!/bin/bash
con="$(docker ps --format "{{.Names}}" | grep -i plex)"
run="/etc/services.d/plex/run"
exists=$(docker exec -i "$con" grep -q umask "$run" >/dev/null 2>&1; echo $?)

if  [ "$exists" -eq 0 ]; then
        echo "umask line already present, exiting."
        exit
else
        docker exec -i "$con" sed -i '3a umask 0000' "$run"  
        echo "Added umask line - Restarting Plex docker..."
        docker restart "$con" >/dev/null
fi

To explain this script line-by-line so you know what we are doing:
Shebang - this just defines what shell should execute this script - in this case "/bin/bash"

Next we define the name of the docker container (we could hardcode this as "plex" since we know this is only usable for the ls.io plex docker)
We then define the location of the run file used as the entrypoint.
Next, we check if the file already contains "umask" or not.
If it does, we simply exit the script, so we don't restart the docker unless we need to.
If it doesn't, we add it after the 3rd line, and then restart the script.


The result is that the "run" file ends up looking like this:

#!/usr/bin/with-contenv bash

echo "Starting Plex Media Server."
umask 0000
export PLEX_MEDIA_SERVER_INFO_MODEL=$(uname -m)
export PLEX_MEDIA_SERVER_INFO_PLATFORM_VERSION=$(uname -r)
exec \
        s6-setuidgid abc /bin/bash -c \
        'LD_LIBRARY_PATH=/usr/lib/plexmediaserver:/usr/lib/plexmediaserver/lib /usr/lib/plexmediaserver/Plex\ Media\ Server'

Meaning that the next time the docker starts, "umask 0000" will be run before plex is started.

 

 

This script can then be safely set to run once per day, preferably a few minutes after your automated updates, if you have the enabled. It will only make the change if it's required.

 

P.S. Let me know if this works - as I have no way to test it.

Edited by Xaero
Link to comment
11 hours ago, Xaero said:

Run stat on one directory that works, and one that does not, this will show that while the UID and GID are correct the UMASK of 0000 isn't being set which makes the container inherently incompatible with unraid's share system by default, although they may push back in that this is technically "more secure" and "proper" in the world of Linux.

thanks for all the effort above.  I will try to do the script in the next couple days and test it, hopefully tomorrow.   

 

I did post a note in the support forum here for LS.IO.  I used the stats on the folder you saw above, but I also tried to use the "stat" command you mentioned.  The real issue I had is I can't seem to call out the full directory name in the terminal because it shows a syntax error with the "(" character.   All the folders and files created for media contain the year made in "(yyyy)" syntax.   I get errors when tryring to type that.   Is there  a way around this?

Link to comment
3 minutes ago, TODDLT said:

thanks for all the effort above.  I will try to do the script in the next couple days and test it, hopefully tomorrow.   

 

I did post a note in the support forum here for LS.IO.  I used the stats on the folder you saw above, but I also tried to use the "stat" command you mentioned.  The real issue I had is I can't seem to call out the full directory name in the terminal because it shows a syntax error with the "(" character.   All the folders and files created for media contain the year made in "(yyyy)" syntax.   I get errors when tryring to type that.   Is there  a way around this?

There are a few ways to work around this.
The first, and the one you should become most familiar with when using a Linux box of any kind is to type only part of the name you need and then press "Tab" The shell will automatically fill in the remaining characters, and add quotes when needed.
The second, is to manually place quotes around anything that uses spaces, or special characters:
"(This) will work"
(This) won't work
The final common way is to "escape" characters the shell will try to use:
\(This\)\ will\ work\ too

The first method is the easiest, and most common way to use the Linux terminal when working with special characters and spaces. Tab completion is your friend. It remembers commands when you don't. It remembers folder names and the location of capital letters and special characters when you don't, too. It also never forgets to double quote things that need to be, or to escape letters that should be. 

Link to comment
32 minutes ago, Xaero said:

There are a few ways to work around this.
The first, and the one you should become most familiar with when using a Linux box of any kind is to type only part of the name you need and then press "Tab" The shell will automatically fill in the remaining characters, and add quotes when needed.
The second, is to manually place quotes around anything that uses spaces, or special characters:
"(This) will work"
(This) won't work
The final common way is to "escape" characters the shell will try to use:
\(This\)\ will\ work\ too

 

Thanks!!

 

 

file stat.JPG

Link to comment
7 hours ago, TODDLT said:

This is now solved.  LinusServer.IO provided info on setting the variable for UMSASK

Did you post this info (and any how-to instructions necessary) in the support forum for this Docker?  If not, please do so.  It could help the next person who has the same problem. And edit first post to mark it  [SOLVED].

Edited by Frank1940
Link to comment
11 hours ago, Frank1940 said:

Did you post this info (and any how-to instructions necessary) in the support forum for this Docker?  If not, please do so.  It could help the next person who has the same problem. And edit first post to mark it  [SOLVED].

so marked (and I was looking for a "solved" button).

 

The answer came inside the LinuxServer.IO - PlexServer forum.  I did reply that it solved the issue, and the fix was simple.  In the end they do have a variable setting for UMASK available, its just not in the default list, so you have to add it manually.  

 

If there is somewhere I should post a summary write up I'd be happy to contribute.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.