Ubuntu Permissions Issues

[nuentes 32]

Feeling dumb right now. I've been using Ubuntu Mate and Emby for years now, but I'm struggling with my new install. I'm running a XEN hypervisor which is directly passing my removable media to my Ubuntu Mate VM. Mate has mounted these drives in /media/andre/. I added the emby user to the andre group, which should have been the end of this. However, Emby sees the /media/andre/ folder as empty (even though there are 2 drives mounted in there) even after multiple logouts/reboots. I also added a symlink to one of my drives (/media/andre/160GB_1) to the /mnt/ folder. Symlink location is /mnt/160GB_1/. Emby does not even see this folder inside the /mnt/ folder, however it can see other folders I have created.

 

I have not really made any adjustments to permissions, besides adding the emby user to the andre group. I've checked the folder permissions for each of these folders and I really cannot see any good reason why I can't access these drives.

 

This is, I suppose, my first time trying to add the drives to emby in this method. My old system used an fstab file to mount them at startup into the /mnt/ folder. I really did not like that system, as I hated needing to maintain the fstab file just so that I could boot my OS cleanly. I do not want to modify the fstab file in order to make this work. And my previous system was my first foray into VMs, and Virtualbox mounted the drives directly into the /mnt/ folder with shared paths. So I am assuming there is just some funny permissions in the /media/ folder which I have never had to deal with. Can anybody help me? Feeling kind of dumb right now.

[sargenthp 25]

So are you running a Linux OS plus a XEN Linux OS (mate) on a Linux OS? I am assuming that you added the user emby to your andre group in the mate instance. Can you get to the attached drives as a different user such as andre while within the mate instance?

[nuentes 32]

Hm. Nope, not quite. We're dealing specifically right now with a XEN hypervisor with a Ubuntu Mate VM. At the end of my post, I mentioned a few prior setups I've used. We are discussing a new system, new hardware that is in config/testing. When this is configured I will retire out my current prod environment, which is a Lubuntu host running Virtualbox with a Ubuntu Mate guest VM (this is where Emby is installed).

 

I am not really here to discuss my prior setups, as those are/were working. That was just backstory.

 

So we will discuss the Ubuntu Mate VM which is running under the XEN hypervisor. Yes, the emby user is in the andre group in this VM. And yes, this is also the VM where emby is installed. I can access the drives without issue when signed in to the VM with the andre user.

[sargenthp 25]

OK... 

• Make sure that the emby user is in the group media.
• Not sure if using /media/andre will work since that is use more for the specific user logged in.  You could maybe use autofs to mount the drives to a location instead of fstab and it would be little more forgiving.
• In my environment I setup facls on the folders where I want emby to be able to read (or read/write).

I would start a shell session as emby to see where I am unable to get into at the terminal level:  sudo -u emby /bin/bash

[nuentes 32]

• I don't have a group named media. Not sure why. I have a feeling simply creating it and adding the emby user wont do much of anything, so not sure what to do next.

autofs sounds like its for temporary mounts. I want these to be static and permanent.

the emby user is able to get into /media/, however it can't get into /media/andre . Also, it sees the symlink in the /mnt/ folder, but it shows as red, and I can't access it. These are all just permission denied errors. I changed the group permissions on /media/andre from root to andre, but that hasn't resulted in any further luck.

[mastrmind11 717]

 

• I don't have a group named media. Not sure why. I have a feeling simply creating it and adding the emby user wont do much of anything, so not sure what to do next.
• autofs sounds like its for temporary mounts. I want these to be static and permanent.
• the emby user is able to get into /media/, however it can't get into /media/andre . Also, it sees the symlink in the /mnt/ folder, but it shows as red, and I can't access it. These are all just permission denied errors. I changed the group permissions on /media/andre from root to andre, but that hasn't resulted in any further luck.

 

well if andre is root, then no one will get into it besides root.  if you change the group to something else, and then add the emby user to that group, then emby will have whatever access the group has on that mount.  

[nuentes 32]

Not fully clear on what you're saying, so I'll resummarize what I've done.

• I've changed the permissions for /media/andre to owning group 'andre' (read/write access). The owner is still the 'root' user. Previously the owning group was 'root'.
• the emby user is in the 'andre' group
• the emby user still cannot access /media/andre (reboots/logouts have indeed been performed)

[Luke 37008]

Have you taken a look at our file permissions guide?

https://emby.media/community/index.php?/topic/32218-file-permissions-guide-for-new-linux-users/

[mastrmind11 717]

what happens when you ssh into the box and switch to the emby user, then try to ls the contents of the andre folder?

[nuentes 32]

Very sorry for the delays on this. I had to de-prioritize this project for a while. And now I'm ready to bang my head against the wall with Linux permissions again.

 

@mastermind11 when I change to emby user, here is what I get:

andre@NASv2:~$ sudo -u emby /bin/bash
[sudo] password for andre: 
emby@NASv2:/home/andre$ cd /media
emby@NASv2:/media$ ls
andre
emby@NASv2:/media$ cd andre
bash: cd: andre: Permission denied
emby@NASv2:/media$ cd /mnt
emby@NASv2:/mnt$ ls
160GB_1  2TB_1  2TB_2  4TB_1  4TB_2  5TB_1  8TB_1  8TB_2  shares
emby@NASv2:/mnt$ cd 160GB_1
bash: cd: 160GB_1: Permission denied

And this mirrors what I see in emby. I can add /media/ and I can add /media/andre, but /media/andre/ shows as empty

 

@@Luke, yes, I've read through that before. And I understand how Linux permissions work. Here are some folder permissions:

andre@NASv2:~$ groups embyemby : emby video render andre
andre@NASv2:~$ ls -l /media/
total 4
drwxrwxr-x+ 4 root andre 4096 Apr 18 11:42 andre
andre@NASv2:~$ ls -l /media/andre/
total 8
drwxrwxr-x+  5 andre andre 4096 Apr 11 12:18 160GB_1
drwx------  11 andre andre 4096 Apr  7  2018 8TB_1
andre@NASv2:~$ ls -l /media/andre/160GB_1/
total 20
drwxrwxr-x 9 andre andre  4096 Apr 11 12:41 'Completed TV'
drwxrwxr-x 2 andre root  16384 Apr 11 11:45  lost+found

 

Edited June 1, 2020 by nuentes

[Q-Droid 634]

You have ACLs on /media/andre and /media/andre/160GB_1. There could very well be entries that are preventing access by user emby.

 

Run getfacl on those two paths to see what's been defined in the ACLs. Also run "id emby" to see group membership info.

[nuentes 32]

I didn't even know what ACLs were. Also, I had run "groups emby" in the previous output, but I accidentally combined the lines - but I've run the slightly different command you suggested.

andre@NASv2:~$ sudo getfacl /media/andre
getfacl: Removing leading '/' from absolute path names
# file: media/andre
# owner: root
# group: andre
user::rwx
user:andre:r-x
group::---
mask::rwx
other::r-x
default:user::rwx
default:group::---
default:mask::rwx
default:other::r-x

andre@NASv2:~$ sudo getfacl /media/andre/160GB_1
getfacl: Removing leading '/' from absolute path names
# file: media/andre/160GB_1
# owner: andre
# group: andre
user::rwx
group::rwx
group:andre:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::r-x

andre@NASv2:~$ id emby
uid=998(emby) gid=998(emby) groups=998(emby),44(video),109(render),1000(andre)

Again, if there are ACLs, I didn't configure them, so assistance would be appreciated. Thanks so much! Sounds like we're finally on track.

[Q-Droid 634]

I think I see the problem and once you get past /media/andre it should be good from there.

 

User andre is explicitly allowed 'r-x' to /media/andre via the ACL but the directory group owner (andre) has '---', which would keep emby out. The ACL is specific and would override the standard permissions.

 

Both paths are also showing default ACLs defined meaning sub-directories will be created with those permissions.

 

Are you sure you didn't create these? If not then it's possible these came from the hypervisor?

 

You could change the ACL for /media/andre but without knowing what created and/or manages them there's a chance they could get set back.

 

This will make /media/andre match 160GB_1:

setfacl -m g::rwx,d:g::rwx /media/andre

[nuentes 32]

THERE WE GOOOOO

 

Thank you so much. I'm not sure what created these permissions. I'll keep this in mind for my next couple reboots though, just in case this permission keeps getting reset. At least now I know the issue and I can research further.

[chudak 23]

@Q-Droid

Need your help too

Does this look correct?

sudo getfacl backup/
 

Quote

 

# file: backup/

# owner: root

# group: root

user::rwx

group::rwx

other::rwx

 

My drive is ntfs mounted via ftab

[Q-Droid 634]

Those look like 'rwx' for everyone, basically 777 permissions on backup. Can't say if it's right or wrong without knowing the intended purpose.

It will allow anyone to access the directory, create and remove files.

[chudak 23]

7 minutes ago, Q-Droid said:

Those look like 'rwx' for everyone, basically 777 permissions on backup. Can't say if it's right or wrong without knowing the intended purpose.

It will allow anyone to access the directory, create and remove files.

@Q-Droid

I wish I knew the purpose   I am seeing some issues 

and looking all over the place....   777 does not sound like can add any issue to emby, does it?

[Q-Droid 634]

Unlikely that your streaming issue would be file/directory permissions related. Problems with permissions tend to be an all or nothing proposition. Streaming problems more often are tied to client/server resource limitations, networking and/or compatibility.

[chudak 23]

I hear you and agree, but so far pulling my hear out trying to find what's going on ...