Using ACLs to Solve Permissions Issues

Posted by Thoughts and Ramblings on Friday, December 21, 2018

One of the more annoying issues that can impact novices on Linux systems is handling permissions across multiple users. One of the contexts where I see this the most is on the Plex forums where users have to deal with allowing the Plex Media Server to see their media when it runs as a different user. Years ago I solved this problem on my system with using ACLs and I’ve never had to deal with the permissions on my media since.

Enable ACLs

The common filesystems on Linux systems tend to support ACLs but they are often disabled. For many they can be turned on by adding acl to the mount options in the /etc/fstab.  Ubuntu’s documentation has better instructions than I can give here.  For those using ZFS, you can run zfs set acltype=posixacl filesystemName and it’ll enable the ACLs for you immediately (no need to re-mount the filesystem).

ACL Setup

The easiest solution is to setup the ACLs on the root directory and then use a command that copies the ACLs down the directory tree.  So first enter the root media directory and execute:

setfacl -m o:- .
setfacl -m d:o:- .
setfacl -m m:- .
setfacl -m d:m:- .
setfacl -m u:$USER:rwX .
setfacl -m d:u:$USER:rwX .
setfacl -m u:plex:rX .
setfacl -m d:u:plex:rX .

(fill in $USER with your desired username above)

The above does the following (each description corresponds to a pair of lines above):

  1. Remove the permissions for other users and their default permissions

  2. Clear out the permissions mask

  3. Add the your user with full permissions

  4. Add the plex user with read and execute permissions (execute needed to enter directories).

The default entries define the ACL entries that a new file or directory receives.  From the above, your user will automatically get full permissions to the file and the plex user will get read access.  Once the permissions for the root directory are as desired, you can copy them to all subdirectories and files (shamelessly stolen from this SO post):

getfacl . | sed -e 's/x$/X/' > acls; find . -mindepth 1 -type d -print0| xargs -0n 50 setfacl -b --set-file=acls
getfacl . | grep -v '^default:' | sed -e 's/x$/X/' > acls; find . -mindepth 1 -type f -print0| xargs -0n 50 setfacl -b --set-file=acls
rm acls

The above takes all the ACL entries from the current directory, translates the lower-case x at the end to a capital X (this means only apply the execute permission to directories and executable files), and then use this result to overwrite the ACL entries on every sub-directory.  The second command is similar but it applies to files instead and removes all default entries (because files cannot have default entries as they only apply to directories).

The Result

The permissions for my media files are exactly as I desire regardless of how they are created.  I don’t have to worry about umasks, sticky bits on the group, group membership, or too permissive files.  I can have a umask of 077 where files are created without allowing any permissions to any other user, and with the ACL setup, the plex user will still be able to read the media files.  If I rsync the files over preserving permissions, the group name and permissions don’t matter; the plex user will still be able to read the media files.  Basically, everything I do, apart from modifying ACL entries, the plex user will still be able to read the media files.  This truly is a set it and forget it kind of setup.