Plex ACL permissions

[Billium813]

I'm rather confused by the way I have to configure ACL permissions to allow plex access to my media libraries

Setup:
I have a User "plex", with user id 972. I have configured this user to be Primary Group "media" and Auxiliary Group "guest".

For the storage pool that contains my media, I have the following ACL permissions configured:

I specifically set the Group for this Pool to be "media" so that the user "plex" would have READ access to this pool. However, the group@ portion of this ACL doesn't seem to work! Instead, I have to add the specific User permissions to allow "plex" to read the media. Why is this required? I'm a TrueNAS newb, so please forgive me if there is something super obvious, but I can't figure out WHY I have to configure my ACL permissions in this way.

 

[anodos]

Is this SCALE or CORE? Regardless, I don't believe that the plex user is a member of the host `media` group by default. You need to bear in mind that users / groups in the host have no impact on processes that are running in a jail / app (the jail / app has its own users / groups). This is actually a good thing because you don't want a broken or compromised container to have immediate access the the passwd / shadow file of the host.

 

[Billium813]

Is this SCALE or CORE? Regardless, I don't believe that the plex user is a member of the host `media` group by default. You need to bear in mind that users / groups in the host have no impact on processes that are running in a jail / app (the jail / app has its own users / groups). This is actually a good thing because you don't want a broken or compromised container to have immediate access the the passwd / shadow file of the host.

Sorry for the late reply.

Core. Also, the "plex user" doesn't exist by default, just the ID 972 is being used. I created a user with that ID and added the group "media" to that user. The ACL permissions still apparently know who that user is because setting specific ACL permissions for the "plex" user I created WORKS! Just using the group@ ACL config doesn't work though... and that's where the issue is. They should be the same thing, right?

I don't think this has anything to do with the plex app or the jail, right? I mean, the ACL I have works just fine when the "plex" user is mentioned specifically. I don't have anything specific in my jail config to make this work. It's just using the user ID 972, which is the "plex" user I have set.

 

[anodos]

Sorry for the late reply.

Core. Also, the "plex user" doesn't exist by default, just the ID 972 is being used. I created a user with that ID and added the group "media" to that user. The ACL permissions still apparently know who that user is because setting specific ACL permissions for the "plex" user I created WORKS! Just using the group@ ACL config doesn't work though... and that's where the issue is. They should be the same thing, right?

This is what an ACL Entry looks like:

Code:

struct acl_entry {
    acl_tag_t        ae_tag;
    uid_t            ae_id;
    acl_perm_t        ae_perm;
    /* NFSv4 entry type, "allow" or "deny".  Unused in POSIX.1e ACLs. */
    acl_entry_type_t    ae_entry_type;
    /* NFSv4 ACL inheritance.  Unused in POSIX.1e ACLs. */
    acl_flag_t        ae_flags;
};
typedef struct acl_entry    *acl_entry_t;

There's a ae_tag (indicating user, group, or special id), ae_id (numerical uid / gid) ae_perm the permissions granted ae_entry_type allow / deny, ae_flags is the inheritance flags. There are no names in the ACL, just IDs.

You created a user called plex in the host with uid 972 which happens to match the uid granted to the "plex" user in the jail. If you had named your user "bob" (and kept uid 972) and granted access to the user "bob" in the webui, then your jailed plex process would also have gotten access to the data. Making "bob" a member of "wheel" doesn't grant "plex" in the jail the same group membership.

Compare output of id plex in both jail and host. In jail, plex won't be a member of media ergo gets no access. Do note that for groups too, you need to look at numerical ids and not names to determine access.

 

[Billium813]

This is what an ACL Entry looks like:

Code:

struct acl_entry {
    acl_tag_t        ae_tag;
    uid_t            ae_id;
    acl_perm_t        ae_perm;
    /* NFSv4 entry type, "allow" or "deny".  Unused in POSIX.1e ACLs. */
    acl_entry_type_t    ae_entry_type;
    /* NFSv4 ACL inheritance.  Unused in POSIX.1e ACLs. */
    acl_flag_t        ae_flags;
};
typedef struct acl_entry    *acl_entry_t;

There's a ae_tag (indicating user, group, or special id), ae_id (numerical uid / gid) ae_perm the permissions granted ae_entry_type allow / deny, ae_flags is the inheritance flags. There are no names in the ACL, just IDs.

You created a user called plex in the host with uid 972 which happens to match the uid granted to the "plex" user in the jail. If you had named your user "bob" (and kept uid 972) and granted access to the user "bob" in the webui, then your jailed plex process would also have gotten access to the data. Making "bob" a member of "wheel" doesn't grant "plex" in the jail the same group membership.

Compare output of id plex in both jail and host. In jail, plex won't be a member of media ergo gets no access. Do note that for groups too, you need to look at numerical ids and not names to determine access.

I understand that the name is just a mapping to a uid. The reason I am referring to the name "plex" all the time is because, in the TrueNAS ACL configuration, I am using "plex" (uid 972) to give READ access to this specific uid, for this pool.

Perhaps the issue is that I don't seem to understand how a jail uses its UID on the host. I was under the assumption that the ACL permissions are permissions for access to the files on the host. The jail, uses the uid (972 in this case) to access those files ON the host. Meaning, that if the jail is using 972, then the jail would get access on the host to all the groups associated with that uid. That made intuitive sense to me, but I must be mistaken and need to read up on jails.

Thanks for the reply