Linux Permissions Guide

Permissions on Plex Media Server

This is a write up of how permissions on Linux systems affect Plex Media Server and how it affects its ability to find you media.

What are permissions

When accessing the filesystem of any Linux system, all files and directories are equipped with a set of permission bits. These bits allow and deny different type of access to files and directories. The bits are made up of numbers ranging from 0-7 (we will get back to those), and can be translated into read/write/execute permissions. Permissions are also categorized into 3 groups. Owner (The user that owns the file), Group (A group of users), Other (everyone else). The combination of these bits and the 3 groups represent the backbone in controlling user throughout the entire Linux system. As we continue we will dig down in how these permissions can be combined and how they affect how Plex can access files.

The table below shows an example of the command ls -al in a directory.

 

As seen in the table in the permissions bits column, if it is a directory the d bit is set, and if it is a file it is represented by a -. Moving along to the other bits, it is important to understand that the three groups that make up the permissions are represented by three characters for each group. r (read), w (write), x (execute) or - (none). The combination of these and placement define the user/group/other access to our files/directories. Figure 1 shows how these are grouped.


On Linux, as mentioned just before a directory is defined by the directory bit being set to d. To access/open directories, two bits are required, read and execute. Here is a couple of examples  of directory permissions. If a directory has the bit mask drwx------ then the owner of the directory can access and modify it (the write bit allows this). If the bit mask is drwxrwx--- then the owner and the group can access and modify it. If the bit mask is drwxrwxrwx anyone with access to the system can access and modify it. To allow only the user to modify the directory and group and others to have access to it, permissions must be set as drwxr-xr-x. This is the sane way to grant external access to a directory. The approach to files is very similar. We start with the directory bit. If directory bit is set to - then access only requires read permissions. This is because the execute bit on files is used to indicate if a files is runnable/executable (you can see this on the Plex Media Server binary file, it has permissions -rwxr-xr-x). To understand file permissions here are a few file examples. Permissions -rw------- grants user full read and write access, -rw-rw---- grants user + group read and write access, and -rw-rw-rw- grants user + group + other access to read and modify files. So please be very aware how you grant your access rights to you files. The sane way is always to allow the user full access and grant read only access to the group and other, unless you require gruops to be able to modify your files.

 

Permission bits

To get a deeper understanding of how the operating system interprets the permissions we have to dig into how bit numbers represent the read/write/execute permissions. The bits are as mentioned before represented by numbers ranging from 0-7. The table below shows what each number represents.

 

In most cases 0,4,5,6,7 bits are used. So we will focus on those. Starting out with directory access based on the information previously described, we know that to perform access to a directory we have to have read and execute permissions. So for a given folder say /plexmedialibrary we would need to have the bits set to 700 which represents drwx------ permissions for the owner to access that dir. If we want a group of users to access that directory, say all users on a system that reside in a group named users we would have to set the permissions bits to 750 which translates into drwxr-x---. And note here that we are not granting group access to modify the directory, only to access and read it. To permit all users no matter what group they are a member of access to the directory we would set 755 that translates into dwrxr-xr-x. When it comes to files the approach is again similar, but with permissions bits set that suit files. For a given user to get access to a file, say /plexmedialibrary/witwicky.mkv, we would need to set read permissions for the user, this would be permission bit wise be equivalent to 600 which translates into -rw-------.  To provide both user and group access to the file, we would set the bits to 640 which translates into -rw-r-----. Note that again we are not granting the group rights to modify the file. For all users and services on a system to access your file permission bits would have to be 644 which again translates into -rw-r--r--.

Now that we have gone over the basic structure of read write and execute bits for directories and files, we can move on to the tools and how we use them. Linux uses 3 tools to control basic access rights. One for controlling the owner of directories/files: chown. One for controlling what group has access to directories/files: chgrp. And one command for modifying the permission bits: chmod.

How to use the chmod command

To modify the permission bits on linux we use the command chmod. It allows us to modify the bits set on both files and directories. The command can be run as any user, but can only change permissions on files and directories that are owned by the user you are logged in as. So for instance it is not possible to log on to your system as user Optimus and change a file owned by user Megatron, nor is it possible for non-root users to change root owned files.

The way the command works is by setting the read/write/execute permissions with the bit numbers we mentioned above. The easiest way of running this command is by running it as root. Though you should note that when running commands as root it is very important that you are cautious about what you run on what. Doing things incorrectly can end up disrupting your system. To simplify how the command is used, we will use an example of a file and a directory we want permissions set on.

First the file. Say we have a file in /plexmedialibrary named witwicky.mkv and we want a given user, Megatron to be able to read this, but the user is not the owner, the file is owned by Optimus. The file has permissions 640 and therefor only allows for Optimus and his group to access the file. See below:

 

We want Megatron to have access, so we need to change permission bits to 644. The command for this is this:

 

chmod 644 witwicky.mkv

 

After running the command we ls -al the dir to see what has changed.

 

As we can see the permission bits now read -rw-r--r-- which is the equivalent of 644. Now Megatron can read the video file.

 

Next example is the directory. We will use the /plexmedialibrary directory as an example for directory access. Again we want Megatron to be able to view files and directories under /plexmedialibrary. As shown below we can see that the file has global (other) readable bit set, but the folder it self has not the global readable and executable bit set, preventing Megatron from seeing content in that folder:

 

To get the permissions set correctly we again run chmod on the directory. The command would be:

 

chmod 755 /plexmedialibrary

 

This results in /plexmedialibrary granting read+execute rights to the folder and thereby permitting Megatron to access the folder, and the files there. The result is shown below:

 

Note that we are not granting other users the right to modify (write) files and directories, only the rights to read and execute. This is the secure way to grant access without granting everyone on the system to be able to delete the files/directories.

To read more about chmod and its options goto here: http://en.wikipedia.org/wiki/Chmod

How to use the chown command

First of all, to change the ownership of a file, you must be the owner of that file, and also be the owner which you are changing the ownership to. This in it self is a predicament, and can only be solved by using the user root. So when running chown its required that you run it as user root.

 

The simplest example of using chown is by running it on a single file. Say we have a file: /plexmedialibrary/witwicky.mkv and its owned by Optimus but we want Megatron to own it. An ls -al of /plexmedialibrary would before we change ownership for Megatron be:


To change the ownership from Optimus to Megatron, as root run the command:

 

chown megatron witwicky.mkv


The same applies for directories. When changing ownership of users, its important to note that you can also define a change of group ownership at the same time. So if you wanted to change ownership of witwicky.mkv from optimus:autobots to megatron:deceptacons the command would be:

 

chown megatron:deceptacons witwicky.mkv


If you want to change ownership on a directory, all its subdirectories and files included, the command would be:

 

chown -R megatron /plexmedialibrary

 

And if you want to add a group into the mix again its:

 

chown -R megatron:deceptacons /plexmedialibrary


To read more about chown and its options goto here: http://en.wikipedia.org/wiki/Chown

 

How to use the chgrp command

 

In addition to the chown command, it has a sibling chgrp (Change Group). This is used to change only the group ownership on files and directories. Though not used as much as chown, it can be handy when wanting to grant groups of users access to files instead of just changing who owns them. All users on a Linux system have to be part of a group. Most users are created as part of the group users, or on creation they get their username autoadded as groupname too. In the above examples we have used two groups, autobots and deceptacons. This was to help understand how groups might look on a system. To give a quick example of how chrgp works, we will use a file + directory example.

 

Starting where we left off with the /plexmedialibrary directory and the autobot and deceptacons groups, everything including the directory will be group owned by autobots, and we will make a video file accessible for user megatron while being part of his group, deceptacons. We will here change the group ownership from autobots to deceptacons. The command to run for the directory /plexmedialibrary is:

 

chgrp -R deceptacons /plexmedialibrary

 

This results in the following change:

Note that the global (other) permissions in this example are set to --- so its ensured that only the user optimus and group deceptacons can access the directory and file.

 

We used the -R option to recursively change the group permissions from /plexmediaserver and all the files included in it. The -R option is not needed but without it, it would only have changed the group ownership on /plexmedialibrary and Megatron would not have had access to the video file witwicky.mkv, only the directory.

 

How permissions affect Plex Media Server

 

Plex Media Server on Ubuntu/Fedora/CentOS systems runs in context of user plex. On some of the other NAS releases this varies, as in the case of unRAID the username is unraid-plex, simply replace the username in these descriptions with the one that applies for you PMS version. Since the Plex Media Server runs in the context of a restricted user and not root (normally ReadyNAS is an exception), it is very important that de directories it uses for storing its metadata, bundles and logs is writable from that very user. Default for the main linux OS’s is /var/lib/plexmediaserver but can be customized via the variable $PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR. Also the media that you want to add to plex also has to be readable by this user.

 

Say you have an Ubuntu installation and you installed it with the user Optimus Prime (optimus). Your home directory and everything configuration related to the user will be placed here /home/optimus. Default permissions on this is normally 755 and everything you place under here, say /home/optimus/movies, will be readable for the user plex. But if you have added security features during install (a small checkbox selected when installing) permissions will be 700 instead, and nothing will be able to access /home/optimus/movies except for the user optimus, even if you grant 777 on your movies folder. This is because on Linux for every directory you dive into, permissions are checked, so if your parent folder won’t let you access it, you will not have access to anything under that folder, no matter what permissions you set. So you would need to change permissions on /home/optimus first so that others can access it.

 

The default permissions setting on CentOS/Fedora for users 700, so anything you create as your user under here will also be inaccessible for the user plex. So its a good idea to put your media in another place than your home folder, and set permissions accordingly. A good practice in permissions for media is 755 for directories and 644 for media files. Go to the quickquide to se how this can be achieved.

 

The main thing to understand here, is if plex cant write to its config directory it wont start. If it cant read you media files, it can’t process them.

 

Quickguide

 

To get fast access to changing permissions, here are some quick examples on how to control permissions.

 

chmod

The command used to change the permission bits on files.

 

Change a file to be modifiable for user and readable for group and other.

chmod 644 filename

 

Change a directory to be modifiable for user and accessible for group and other.

chmod 755 directoryname

 

Change recursively for all files under a directory to be group and globally readable/executable and modifiable by owner.

chmod -R 755 directoryname

 

Advanced chmod

 

To change permissions on directories to 755 and files 644 (replace /plexmedialibrary to fit your requirements):

 

find /plexmedialibrary -type d -exec chmod 755 {} \;; find /plexmedialibrary -type f -exec chmod 644 {} \;

 

chown

 

The command used for chaning ownership on files or directories.

 

Change a file/directory to be owned by user plex (replace file/directory with the name of you file or directory):

chown plex filename/directory

 

Change ownership recursively of directory and all files under the directory:

chown -R plex directory

 

Change user ownership and group ownership on file or directory (replace file/directory with the name of you file or directory):

chown plex:plex file/directory

 

Change user ownership and group ownership recursively on file or directory (replace file/directory with the name of you file or directory):

chown -R plex:plex file/directory

 

chgrp

 

The command used for changing the group ownership of files or directories

 

Change a file/directory to be owned by user plex (replace file/directory with the name of you file or directory):

chgrp plex filename/directory

 

Change ownership recursively of directory and all files under the directory:

chgrp -R plex directory