Emby Server 4.0.1.0: Permission question

[hi2hello 34]

Hi there,

 

I am running EmbyServer 4.0.1.0 with the official stable Docker from the emby repository under UnRaid and I have a question concerning permissions.

 

As usual for a Docker in UnRaid, also for the emby-Docker the owner:group is set to nobody:user with UID=99 (nobody) and GID=100 (users). 

 

All folders and files in my media share usually have permissions set to 777. Now, whenever emby is creating a folder (f.e. for a movie or show with the plugIn AutoOrganize) or a file (f.e. Metadata) those get permissions set to 755. 

 

For emby working flawlessly, this is quiet fine but for making changes or additions in such a folder via SMB that causes problems: As I am logging in as a user with no admin rights, I am not granted write permissions on any of those folders. Right now, I ll have to "fix" permissions for all of those folders manually, which gets kind of annoying. 

 

My question is quiet simple: Is it possible to get emby (or as well the PlugIn AutoOrganize) to create files and folders with permissions set to 777?

 

And if so, how?

 

 

Thank you very much.

[Luke 37317]

Hi, I'm not sure of the answer for unraid but I think it will depend on the user that emby is running under.

[Bloodfire 2]

I run a docker instance for testing purposes at the moment, and here's what I can say... Check out my config and compare it to yours:

 

When creating the docker I used - 

 

docker run -d \

--name=emby \

--restart=always \

--volume /var/lib/emby-docker:/config \

--volume YOUR-MEDIA:/mnt/Media \

--volume YOUR-META-TRANS-ETC:/mnt/emby-bits \

--device /dev/dri/renderD128 \

--publish HOST-PORT:DOCKER-PORT \

--publish HOST-PORT:DOCKER-PORT \

--env UID=1001 \

--env GID=1000 \

--env GIDLIST=100,469,484,486,1000 \

emby/embyserver:latest

 

In bold are the user and group it will write with.

 

You can even use watchtower to keep it up to date!

[hi2hello 34]

On what platform do you run your docker?

 

Except for your GIDLIST, that has more entries than mine and the fact, that your UID and GID is pointing to different groups / users than mine (which seems to be reasonable on a different system), I see no difference to my settings.

 

For me it’s UID = 99, GID=100, GIDLIST = 100,18

 

 

@Luke: You stated that it depends on the user, that emby is running under. Does that imply, no other user than this one does have write permissions to the files / folders this user generated?

 

emby is generating folders with 755 and files with 644 which - if i get things right- simply means that no other user can make additions to a folder that was generated by emby than itself. 766 or even 666 would fit but I have not the slightest clue on how to change that. 

Edited January 28, 2019 by hi2hello

[hein 12]

I would guess that Emby just uses the default umask for the user that runs it.

Usually the umask is set system-wide. But you can also set it on a per-user basis.

 

So what's nobody's umask set to?

 

su -c umask nobody

 

Default umask for your system:

 

grep UMASK /etc/login.defs

[Bloodfire 2]

My server is running opensuse. The UID and his are not the emby user or group but rather the user and group I created with access to the media files.

[hi2hello 34]

su -c mask nobody 

does result in no output

grep UMASK /etc/login.defs

UMASK           022 

(which makes 755)

 

What I would need would be 012 at least or 002 

Edited January 28, 2019 by hi2hello

[hi2hello 34]

My server is running opensuse. The UID and his are not the emby user or group but rather the user and group I created with access to the media files.

And Emby is still able to write into those created directories?

 

If I change the UID from "Emby" to "myuser" that would result in being able to make changes to the folders (which is what I would like to have) BUT as emby is generating folders with 755, no other user (including emby itself) than "myuser" would be able to make changes to those folders.

If I get it right, emby would no longer be able to make changes to metadata?

 

Please correct me if I m wrong

[mastrmind11 717]

755 is r/w for everyone.

[hi2hello 34]

So what is read --- execute than?

For directories I get 

 

rwxr-xr-x

 

and I cannot write into these directories as a different user

Edited January 28, 2019 by hi2hello

[hein 12]

Afaik there is currently no convenient way to set umask on a per docker container basis.

You could work with a custom entrypoint script or always manually set umask for specific containers.

But why not create a user with correct umask just for Emby?

[hein 12]

Just saw your edits.

The following links might clear up any confusion concerning unix permissions and their notation:

http://permissions-calculator.org/

https://wiki.archlinux.org/index.php/File_permissions_and_attributes

[hi2hello 34]

I dont know how to change a users umask, just how to do that globally (etc/login.defs)

Right now, emby runs under the user "nobody" which is not a user I can log-on to (to change user prefs than)

 

Any help kindly appreciated

Edited January 28, 2019 by hi2hello

[hi2hello 34]

Just saw your edits.

The following links might clear up any confusion concerning unix permissions and their notation:

http://permissions-calculator.org/

https://wiki.archlinux.org/index.php/File_permissions_and_attributes

 

Now, I am really confused. 

I said, directories created in emby have the following permissions: 755

 

Shell gives me rwxr-xr-x

 

So, I thought, there is no difference?

[mastrmind11 717]

your permissions are screwed up.  just create an emby user and run emby as that user.  if you have a share that requires r/w for more than emby, create a group and put all the users that require r/w in it (including emby) and set the share to use that group instead of whatever you have it set to now (nobody??).  if you set it up correctly once, you won't run into these issues where you're hacking stuff up just to get it to work.

[hein 12]

The link to archwiki's page for umask I gave you in #5 explains the process in detail.

It also links to the manpage for the umask utility for further information.

 

While I am not familiar with UnRAID (that's Slackware based, right?), I might be able to help further if you tell me where you are struggling

Again for the lazy: adding users + setting umask.

 

Did you read the archwiki link regarding unix permissions? Specifically how the execute permission affects directories?

And mastrmind11 is right. Take some time to actually read the links and thus understand what you are doing / trying to do.

Then implementing a solution that matches your use-case will be a breeze

[Bloodfire 2]

755 is r/w for everyone.

Erm, wouldn't it be read/write/execute for user, and read/execute for group and other? 

 

rwxr-xr-x is 755. Note that there is no 'w'.

 

@@hi2hello my recommendation is:

 

Create a user (or make it so the emby user) has read/write access to the files you want to have access to. if you go the route I did, where you have a custom user and group, make sure it's standardized for all of the emby elements. For example, the transcode/metadata/etc files all have to have the correct permissions in addition to the media files themselves.

 

I personally am using a chmod of 770 so that user and group and rwx but other can't do anything for the majority of my files. That being said, I have a section of my library that is set to 775 because I DO want other users to be able to view/execute but NOT write in the folder.

 

For my media files, I have it set to chmod 770 or 775 with a chmod +s on the library so that new files are created with the user/group that you have already set the folders for. If you're new to setting permissions, make sure you use -R to make it recursive and affect the folders as well as the files. 

 

Here, some quick recommended reading to assist you:

 

https://www.linux.com/learn/understanding-linux-file-permissions

 

If you're still struggling, a @@hein said, you're gonna have to guide us to where you problem is. More details

[hi2hello 34]

When emby is creating a folder (which happens every single time a new movie or show is added) the user does have rwx (7) permissions, the group does have r-x (5), anyone else also r-x(5) on this folder. 

 

I did set up the following:

UID = nobody (which is part of group "users")

GID = users

GIDLIST = users

So ownership for those folders is nobody:users

A second user that should also have write access to files / folders is "myuser" (which is also part of group users). 

 

If I d setup a new user ("newuser") than I could write to these folders only with that specific user as emby is not giving write permissions to the group but just to the user, right?

So there would be no way to make changes in this folder with any other user than "newuser" or any user belonging to any group? 

 

 

What I would like to achieve, is that not just a specific user but also the group gets write permission to those folders, at least a second user "myuser" could write to the directories (so I could add and change files such as subtitles manually).

 

So, the question would be, how to get write access also for the group, not just the user by the time, emby is creating those folders. chmod them afterwards seems a possiblity but is a bit annoying.

If that is not possible (and it seems so), as a workaround, I could rum emby with a "newuser" and access my folders externally with that same user. Sill "myuser" would not have access. 

 

 

Right?

 

Edited January 28, 2019 by hi2hello

[mastrmind11 717]

https://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories

[Bloodfire 2]

The GID list is actually GROUP not USER. You want to ensure you use the GID values of, at a minimum:

emby, render, video, (whatever group you want to also have access to the files).

 

Now, let's say you want the user "Emby" to have r/w/x. You also want user "Bob" to have r/w/x. Then you need to make a group that has both "Emby" and "Bob", let's call it "embybob". Then, do chown -R emby:embybob

Don't forget to ensure that you have both emby AND bob in the same group, embybob.

 

For myself, I have a user, let's use "emby" for this example. It's part of group "networkdata", for example. So, I make sure all users that I want to have access to it are in the group "networkdata". So, for example, I have user "bloodfire" and "bob" and "bill" all part of networkdata. I want them all to have r/w/x, so it's setup like this:

 

Go to the root folder you want to have access, for example "Media" and do:

 

chown -R emby:networkdata Media

 

This will make all files and folders in Media have the owner "emby" and group "networkdata".

 

Now, you want the group to have r/w/x because you want to admin the files? So you need to change those permissions:

 

chmod -R 77X Media 

 

(where X depends on if you want others to have access too)

 

Examples for X: 7 = RWX, 5 = R-X, 4=R--

 

Now, if you want the files to automatically be made with group access then you need to also do this:

 

chmod g+s -R Media

 

That will make new files or folders in that folder (Media) be part of whatever group you have it set to, in this example "networkdata".

 

Please note that all of this information is available in the links that were provided above, you just have to read it - which I highly recommend if you want to understand what you are doing.

Edited January 28, 2019 by Bloodfire

[hi2hello 34]

First of all, thank you for the kind replies and the patience.

Sorry not to mention more groups in the GID, that was just an example. As there are no other groups in UnRaid than "video" and "users" that are necessary for running emby, I left that out.

 

I got all the infos and I am aware of changing files afterwards with chmod. I did the changes (also chmod g+s …) and all files that I change afterwards are fine.

 

BUT

 

So now there is a user "Emby" and a user "Bob". Both are part of the group "networkdata".

Ownership on everything related to emby is now set to Emby:networkdata

Still emby is creating NEW folders (lets say: "Moviename") with the following permission Emby:networkdata rwxr-xr-x

So just user "Emby" not the group "networdata" can edit, add, delete in the folder

"Bob" is still out of the game.

 

Let’s say my second user "Bob" likes to login via smb into the folder "moviename". He cant make any changes.

 

At least, thats what is practically happening to me.

Edited January 28, 2019 by hi2hello

[mastrmind11 717]

First of all, thank you for the kind replies and the patience.

Sorry not to mention more groups in the GID, that was just an example. As there are no other groups in UnRaid than "video" and "users" that are necessary for running emby, I left that out.

 

I got all the infos and I am aware of changing files afterwards with chmod. I did the changes (also chmod g+s …) and all files that I change afterwards are fine.

 

BUT

 

So now there is a user "Emby" and a user "Bob". Both are part of the group "networkdata".

Ownership on everything related to emby is now set to Emby:networkdata

Still emby is creating NEW folders (lets say: "Moviename") with the following permission Emby:networkdata rwxr-xr-x

So just user "Emby" not the group "networdata" can edit, add, delete in the folder

"Bob" is still out of the game.

 

Let’s say my second user "Bob" likes to login via smb into the folder "moviename". He cant make any changes.

 

At least, thats what is practically happening to me.

If you set the gidlist up properly, then new files and folders will inherit both the user/group *as well as* the permissions.  So set the root folder to the proper permissions and everything emby creates after that will inherit them.  I have my system set up exactly like this w/ radarr, sonarr, nzbget, etc as their own users, all in the same group, and the proper permissions set at the root of my libraries.

[Q-Droid 671]

The setgid option on a directory will create files and sub-directories that inherit the parent dir GID but they still obey the umask. A umask of 0022 will still prevent write privs for group and other.

 

A more localized and explicit option (more secure) us to use ACLs on the directory tree for your media where you want the shared access. You can get very granular with setfacl and by using the "default" option all files and sub-directories created will inherit the access privileges while preserving creator uid:gid.

 

setfacl -R -m d:u:<user>:rwx,d:g:<group>:rwx,d:mask:rwx <dir>

 

For example you can begin from the parent directory where your media is located and modify group access for the "Movies" dir. The -R option is recursive for existing dir structure with content.

 

Recursively set default ACLs to allow rwx privs for group networkdata on Movies + files/sub-dirs:

 

setfacl -R -m d:g:networkdata:rwx,d:mask:rwx Movies

 

Or only do it for Bob:

 

setfacl -R -m d:u:Bob:rwx,d:mask:rwx Movies

 

Or Bob and Emby if neither is the owner:

 

setfacl -R -m d:u:Bob:rwx,d:u:Emby:rwx,d:mask:rwx Movies

 

 

New files and directories will inherit the ACL. Those with ACLs show up with + after the attributes in a listing.

 

$ ls -l

 

drwxrwxr-x+ 1 sonarr video 5044 Jan  6 14:13 Season 1

 

$ getfacl Season\ 1/

 

# file: Season 1/

# owner: sonarr

# group: video

user::rwx

user:emby:rwx

group::rwx

group:video:rwx

mask::rwx

other::r-x

default:user::rwx

default:user:emby:rwx

default:group::rwx

default:group:video:rwx

default:mask::rwx

default:other::r-x

 

[hein 12]

I agree that ACLs are a great tool.

But I would consider them rather advanced. Nothing to be used blindly by beginners who are still trying to grasp the basic unix permission system and it's quirks.

 

Don't use them unless you know and understand what you are doing.

Read up on how they work, pros, cons, usage cases and side effects.

Once you know what you are doing, there are always a myriad of ways to achieve your goals in the *nix world

 

My best advice would be to keep things simple and document your steps.

And never just paste commandlines you find online, unless you know exactly what is going to happen

Edited January 29, 2019 by hein

[hi2hello 34]

I will try once more to go basic and set up users and permissions the way you guys proposed. 

If that, for a second time, still does not change the permission of new folders created by emby for groups (I suppose because of a systemwide umask that is set to 0022) than now I know of two more ways I could go). 

 

Right now, I am a bit concerned about changing umask systemwide as I still can’t overlook what cons that might have (security issues). 
I will definitely have a read in ACLs as well. 

Do not wonder if I show up again

 

 

Thank you all very much for your kind help and patience with me. Deeply appreciated!

Edited January 29, 2019 by hi2hello