media library permissions fix script

[cTurtle98 1]

what settings do my media library forlders need to be set to for permissions?

I am making a script I can run whenever I add stuff to make sure everything is correct

#!/bin/bash

echo -e "\033[32m#####################################"
echo "## Fixing MediaLibrary Permissions ##"
echo "##              v1.5               ##"
echo "##         By Ciaran Farley        ##"
echo "##         98SeaTurtles.net        ##"
echo -e "#####################################\033[39m"

sleep 0.5

echo "Deleting files added by macOS"
sudo rm -rf ._*

echo "Fixing Read, Write, Execute"
sudo chmod -R 755 *

echo "Fixing Ownership"
sudo chown -R emby:emby *

echo "Giving sudo Group Permission"
sudo setfacl -R -d -m g:sudo:rwx * > /dev/null
sudo setfacl -R -m g:sudo:rwx * > /dev/null

echo -e "\033[32mDone!\033[39m"

is this correct or are there any changes I need to make?

[Luke 37061]

Depends on your settings in Emby. If you're not saving metadata to media folders, and if you don't care about being able to delete from emby, then read-only will be enough.

[cTurtle98 1]

Depends on your settings in Emby. If you're not saving metadata to media folders, and if you don't care about being able to delete from emby, then read-only will be enough.

 

what do I change in the script to make it not read only? do I make it 775 instead of 755 ?

Edited September 5, 2017 by cTurtle98

[dcrdev 251]

Those aren't very good habits to be getting into - you shouldn't add other users to a users primary group. Nor should you be making ordinary files executable, only directories should be executable - unless the file is actually meant to be executed.
 
Add a new group, for this example lets call it movies:

groupadd movies
usermod -aG movies <myusername>

Change ownership of the directory:

chown -R <myusername>:movies /storage/Movies

Change permissions on files - note the capital "X" here, this means directories only. This will give you 664 permissions on files and 775 on directories i.e. read/write for user and group, read only for everyone else. Directories need that extra executable bit, for you to list their contents.

Start by removing any executable bits:
chmod -R a-x /storage/Movies

Set permissions for group, user and other:
chmod -R u+rwX /storage/Movies
chmod -R g+rwX /storage/Movies
chmod -R o+r-X /storage/Movies

Set the gid bit accross directories - this ensures that any new files created under /storage/Movies are owned by the group movies.

chmod -R g+s /storage/Movies

Using acls set the default permissions on new files created under /storage/Movies - again note the use of capital "X".

Start by removing any acls previously set:
setfacl -R -bn /storage/Movies

setfacl -R -d -m u::rwX /storage/Movies
setfacl -R -d -m g::rwX /storage/Movies
setfacl -R -d -m o::r-X /storage/Movies

Add the emby user to the group movies and restart emby, to make those permissions effective:

usermod -aG movies emby
systemctl restart emby-server

Something like this (not tested):

#!/bin/bash
# --------------------------------------------------
# Usage: script.sh <username> <group> <path>
# --------------------------------------------------
# You'll want to make sure that
# a) The group exists - if it doesn't the
# script will exit.
#  You and whomever needs access is part of
# the group i.e. emby. This can be done via
# $sudo usermod -aG group user.
# c) The path exists - if it doesn't the script
# will exit.
# d) You are running this script as root - if
# you are not the script will attempt to elevate
# itself using sudo; root is required for setting
# ownership.
# --------------------------------------------------

declare -r USERNAME="$1"
declare -r GROUP="$2"
declare -r MEDIA_DIRECTORY="$3"
declare -r REMOVE_HIDDEN_OS_FILES=true

function tests {

    local thisScript=`basename "$0"`

    # Check for arguments
    if [ -z "$USERNAME" ] || [ -z "$GROUP" ] || [ -z "$MEDIA_DIRECTORY" ]; then
        echo "Usage: $thisScript <username> <group> <directory>"
        exit 1
    fi

    # Does the user exist?
    if ! id "$USERNAME" >/dev/null 2>&1; then
        echo "The user $USERNAME does not exist!"
        exit 1
    fi

    # Does the group exist?
    if [ ! `getent group "$GROUP"` ]; then
        echo "The group $GROUP does not exist!"
        exit 1
    fi

    # Does the path exist?
    if [ ! -d "$MEDIA_DIRECTORY" ]; then
        echo "The path $MEDIA_DIRECTORY does not exist!"
        exit 1
    fi

    # Am I root?
    if [ "$(id -u)" != "0" ]; then
        echo "This script must be run as root!"
        echo "Trying sudo..."
        sudo sh "$0" "$USERNAME" "$GROUP" "$MEDIA_DIRECTORY"
        exit $?
    fi

}

function cleanup {

    # Cleanup any leftover acls / execute bits
    chmod -R a-x "$MEDIA_DIRECTORY"
    setfacl -R -bn "$MEDIA_DIRECTORY"

    # Recursively find/destroy hidden files
    # leftover from external operating systems
    if [ "$REMOVE_HIDDEN_OS_FILES" = true ] ; then
        find "$MEDIA_DIRECTORY" -name "._*" -type f -delete
    fi

}

function ownership {

    # Set ownership and set gid
    chown -R "$USERNAME":"$GROUP" "$MEDIA_DIRECTORY"
    chmod -R g+s "$MEDIA_DIRECTORY"

}

function permissions {

    # Set conservative permissions
    chmod -R u+rwX "$MEDIA_DIRECTORY"
    chmod -R g+rwX "$MEDIA_DIRECTORY"
    chmod -R o+rX "$MEDIA_DIRECTORY"

}

function acls {

    # Enforce default permissions via acls
    setfacl -R -d -m u::rwX "$MEDIA_DIRECTORY"
    setfacl -R -d -m g::rwX "$MEDIA_DIRECTORY"
    setfacl -R -d -m o::r-X "$MEDIA_DIRECTORY"

}

tests && \
sleep 0.5 && \

cleanup >/dev/null 2>&1 && \
sleep 0.5 && \

ownership >/dev/null 2>&1 && \
sleep 0.5 && \

permissions >/dev/null 2>&1 && \
sleep 0.5 && \

acls >/dev/null 2>&1 && \
echo "Done."

Edited September 5, 2017 by dcrdev

[Luke 37061]

Thanks @@dcrdev !