Plex UID, file permissions on SCALE?

[DavidYLau]

Hi, TrueNAS-SCALE newbie here...

Some basic questions on Plex set-up:

1) What is the UID, GID of Plex app running on SCALE? Is it Apps (uid=568,gid=568)? Or does it run with a separate uid/gid ?

2) Any recommendations of the dataset ownership for the Plex libraries? Should the libraries be owned by the Plex uid ?

Thanks in advance for any help..

 

[danb35]

It may depend on whether you're using the Truecharts Plex app or the "official" one--all the Truecharts apps, IIRC, run as the "Apps" user. I'm not sure how important ownership of the libraries is, but apps would then at least need to be able to read those datasets.

 

[DavidYLau]

It may depend on whether you're using the Truecharts Plex app or the "official" one--all the Truecharts apps, IIRC, run as the "Apps" user. I'm not sure how important ownership of the libraries is, but apps would then at least need to be able to read those datasets.

I'm using the "official" app, not the Truecharts app.
How do I find the uid/gid of the Plex app?

 

[TrueFellow]

I'm using the "official" app, not the Truecharts app.
How do I find the uid/gid of the Plex app?

You can add:

PLEX_UID and PLEX_GID as an Environment variable and use the "apps" users GID and UID. I think "apps" uid/gid is 972.

 

[TrueFellow]

Since i can't edit my post (why would you restrict editing a post while its moderated?????)

Plex's should be 972. User "apps" should be 568

 

[DavidYLau]

Since i can't edit my post (why would you restrict editing a post while its moderated?????)

Plex's should be 972. User "apps" should be 568

Thanks for your input..

When I look at the list of the users (including the hidden internal ones), I don't see a separate Plex user.

 

[indivision]

Thanks for your input..

When I look at the list of the users (including the hidden internal ones), I don't see a separate Plex user.

If you are looking at the TrueNAS local users, Plex wouldn't be there. The Plex user would only be within the running app instance.

I am also curious how other people manage this. For instance, it looks like a person could just add user 568 to a "media" group and give that group access to shared locations. Then, their installed apps would (in most cases) automatically have the proper access to those locations when mounted...

Seems pretty efficient. But, I set my system up a bit differently. I made a group with those permissions. Then I change "fsGroup" within each app when I install it to match that group. So, they get permissions that way.

The advantage of that system is that you can then use multiple different groups for different apps in case you don't necessarily want all apps to have the same permissions to the same areas. For instance, maybe you allow apps like Plex and Radarr to have access to a lower security area of your server. But, don't want them to have any perms on a business-related area.

 

[TrueFellow]

Thanks for your input..

When I look at the list of the users (including the hidden internal ones), I don't see a separate Plex user.

What indivision said.

Plex doesnt have a user in the TrueNAS-OS, I would do it as indivision said or just set 568 (apps) as the user within the plex container with the env_variables i mentioned.

 

[DavidYLau]

If you are looking at the TrueNAS local users, Plex wouldn't be there. The Plex user would only be within the running app instance.

I am also curious how other people manage this. For instance, it looks like a person could just add user 568 to a "media" group and give that group access to shared locations. Then, their installed apps would (in most cases) automatically have the proper access to those locations when mounted...

Seems pretty efficient. But, I set my system up a bit differently. I made a group with those permissions. Then I change "fsGroup" within each app when I install it to match that group. So, they get permissions that way.

The advantage of that system is that you can then use multiple different groups for different apps in case you don't necessarily want all apps to have the same permissions to the same areas. For instance, maybe you allow apps like Plex and Radarr to have access to a lower security area of your server. But, don't want them to have any perms on a business-related area.

Your last paragraph gets to the reason for my original post. It seems to me that having all the apps use the same UID/GID breaks some of the security features that come with using containers or VMs. For myself, I would like my media-related apps to be able to access my media libraries, but not to be able to access my back-ups or other non-media related files.

 

[DavidYLau]

What indivision said.

Plex doesnt have a user in the TrueNAS-OS, I would do it as indivision said or just set 568 (apps) as the user within the plex container with the env_variables i mentioned.

Personally, I think it's better for security if each app would use it's own UID/GID. If Plex is already using its own UID/GID while running, I think that's preferable.

 

[indivision]

Your last paragraph gets to the reason for my original post. It seems to me that having all the apps use the same UID/GID breaks some of the security features that come with using containers or VMs. For myself, I would like my media-related apps to be able to access my media libraries, but not to be able to access my back-ups or other non-media related files.

That's a fair point. But, then, the solution I gave solves it. You don't have to give any permissions to 568 at all.

Instead, make your own groups. As many as you like for however many silos you need. Then use the "fsGroup" field in the app settings for each app to assign them to the different groups.

 

[Murphy1138]

Where can one get a list on environmental variables? Bluefin broke my Plex app and just had to fudge it with info from this thread.

 

[Mister Pipps]

You can add:

PLEX_UID and PLEX_GID as an Environment variable and use the "apps" users GID and UID. I think "apps" uid/gid is 972.

I created an account specifically to thank you for solving my issue. I ended up keeping the ID of 568 just to keep it in line with Truenas's built in apps user.