Changing file ownership and permissions on import / rename

a575606 · January 25, 2019, 3:57pm

Sonarr Version 2.0.0.5301
Mono Version 5.18.0.240
Synology DSM 6.2.1-23824 Update 4 - docker container: linuxserver/lidarr:latest

Debug logs:

Unable to apply permissions to: /my/file/name.mkv: Error setting file permissions: EPERM

NzbDrone.Mono.Disk.LinuxPermissionsException: Error setting file permissions: EPERM
  at NzbDrone.Mono.Disk.DiskProvider.SetPermissions (System.String path, System.String mask) [0x0003e] in M:\BuildAgent\work\5d7581516c0ee5b3\src\NzbDrone.Mono\Disk\DiskProvider.cs:204 
  at NzbDrone.Mono.Disk.DiskProvider.SetPermissions (System.String path, System.String mask, System.String user, System.String group) [0x00000] in M:\BuildAgent\work\5d7581516c0ee5b3\src\NzbDrone.Mono\Disk\DiskProvider.cs:74 
  at NzbDrone.Core.MediaFiles.MediaFileAttributeService.SetMonoPermissions (System.String path, System.String permissions) [0x0000f] in M:\BuildAgent\work\5d7581516c0ee5b3\src\NzbDrone.Core\MediaFiles\MediaFileAttributeService.cs:88

Description of issue:
I have sonarr, radarr and plex running in docker containers on my synology nas. I’d like to keep my file permissions and ownership clean in my media directories to avoid problems down the road. However I don’t want to run sonarr as root.

I’ve created a sonarr user and configured the PUID/PGID in docker. I’ve given the sonarr user full access to the media directory, including changing permissions and ownership. I’ve tried inputting the user/group name and the user/group id that I want to change to, but it doesn’t seem to work no matter what I try.

The result when running a file rename on a season directory is interesting… all files in the directory get renamed according to the naming scheme. The video file permissions get set as per the chmod settings, but the other files (nfo, jpg etc) do not. None of the owner/group settings change.

Also, it doesn’t seem to matter what the original owner/group of the file is. I’m fresh out of ideas of what to try. Hope someone can help?

rhom · January 26, 2019, 8:26am

can you explain what you did here? if the PUID/PGID are set for the container then i cant work out where else youd be putting them?

just to confirm, you also ticked this box when you changed the owner of the top level directories to your sonarr user (or a group its in)?

and you changed the top level directory for every mount used by the sonarr container? eg config, downloads, and media locations

a575606 · January 27, 2019, 1:12pm

The PUID / PGID are set for the container, yes. As for permissions, the user associated with that UID has full control on path in question and the group has read / write access. Yes I checked the little box when I set it up, and looked at the inheritance in subdirectories.

What I mean by I tried different things was trying various ways of setting permission on that directory to see if the sonarr docker could change file permissions.

So, just to make it more clear… let’s say the user is sonarr belonging to the media group. I set up the container with the ids of that user / group.

And suppose the folder structure is /media/tv/series1, series 2, etc. The media group has rw access. The tv folder is owned by plex:media, as well as all the subdirectories and files.

I want to end up with that staying the same. But what happens now is sometimes sonarr downloads something, sometimes I copy something into the directory, so there ends up being files with different owners, groups and permissions.

I’ve tried giving sonarr full control over the tv directory, I’ve tried giving the group media full control… not sure what the owner/group/permissions need to be set to at these two levels for it to work?

/media/ <— ??
/tv/ <— ??
/show 1/…

rhom · January 27, 2019, 2:58pm

run the id command again, double check the values still match what you have

make sure the sonarr user is in the media group

do you have sonarr set permissions or is it disabled? if its set are the values correct?

a575606 · January 31, 2019, 3:40pm

Thanks for writing back. Ya, I’ve thoroughly checked the id/gid values believe me. And, they are correct because that’s what the files sonarr creates have the owner set to.

Sonarr is also in the media group. I’ve checked and it wouldn’t have write access to the media directories if it wasn’t. Permissions are all set on the media group, no overrides on the sonarr user.

I think my question is more what permission level does sonarr need to change ownership of a file it owns? Does it need to be the current owner and have r/w permission? Or does it need full control of the file itself? Or the parent directory? or…

Sorry I’m a bit of a newbie with linux permissions, still working out the owner/group/everyone bits and how they relate to sharing permissions with some synology acls thrown in the mix.

Maybe an easier question, is it possible to set up in docker to do this without running elevated permissions? And if so, what structure would work at these levels:

media/
tv/
/series/season/episode.file

rhom · January 31, 2019, 10:15pm

to take ownership im assuming youd need these permissions

the question is why do you need sonarr to change the owner? by using the sonarr users PUID for all the containers it will automatically be the owner of any new files it creates/downloads

ie, if you use file station to set the top level folder owner to sonarr, tick the box to propagate that downwards, apply it, then give the group read and write permissions and apply that then thats all you should ever have to do to have sonarr be the owner of every file under your media folders

its only going to get a different owner if you change it or use a different user to create a file under those folders - but thats just cosmetic, the sonarr user will still have read/write permissions so can still do anything it needs to, to files with a different owner

yes, its possible, i have it working like that.

i have all my media (jackett, transmission, radarr, sonarr v2/v3) containers running as the media user, and the media-management group

in file station i gave the media-management group read and write permissions to the appropriate top level media folders, and the docker container folders - it is not set as the owner for the folders

thats all i did. i dont have sonarr change permissions as i didnt see any need to change the actual owner if the sonarr user could do whatever it wanted to the files and directory structure anyway, plus it would own any new files

if you do want the actual owner shifted to another user by sonarr then youll most likely need to ensure the sonarr user, or the group, has those admin permissions on the folder the files are in

a575606 · February 2, 2019, 4:34pm

Ya, that’s what’s confusing. The box is ticked, sonarr user has full control of the tv directory and all subdirectories and files, and yet sonarr still can’t change ownership.

The reason was all the other files were owned by plex, so I didn’t want to end up with some owned by plex, some owned by radarr and different permissions… but maybe it’ll be easier to just change them all to radarr/sonarr. Anyway, I couldn’t get to the bottom of it either and i eventually gave up, but thx for the tips.

beardman · February 5, 2019, 5:03am

Okay, I had to read all of this twice, and I am still not quite sure if I got it, but here goes…

Are you saying that all of your permissions seem to be correct: Sonnar can create the folders it needs, rename the video files, and sets the permissions on them, but it doesn’t change the owners:groups or permissions of other file types? And this bothers you because you are worried about future problems (or perhaps it is just prettier)?

You made this statement:

Permissions set read,write, and execute access to files and directories for three types of users (the owner, members the assigned group, and everyone that is not the owner or a member of the owning group–this is often referred to as other or everyone.

The assigned group is often (wrongly) referred to as the owning group. it is actually just the group assigned to the file. Group permissions just make it so the owner can set access to a limited group of users rather than having to set blanket permissions for everyone. Owner permissions are basically there to protect the owner from inadvertently reading,writing, or executing files that they needed protected from that type of access.

Ownership lets you set those permissions. It will also let you change the group to another group to which you belong. It does not let you change the owner or change the group to a group to which you do not belong. Only root can do that (directly). To illustrate why:

Say you and Steve both have access to the same NAS, and you are both in the same group. Now say Steve downloads a lot of kiddie porn. should he be able to change the owner of those files to you just because he owns them?

But honestly, there is no operational reason you need the same user:group and permissions for every directory and file. in fact, in a general sense, you shouldn’t. See next post for my setup.

Program: User:EffectiveGroup
deluged: vpn:mediamgr
sonarr: sonarr:mediamgr
radarr: radarr:mediamgr
lidarr: lidarr:mediamgr
plex: plex:mediamgr

My user is jason and I am a member of each of the above users’ groups
Media root directories are jason:mediamgr
Permissions for all media directories are rwxrwx—
Permissions for all files are at least rw-rw—
the owner of the remaining directories and files is which ever program put it there first, but all of the groups are mediamgr. The only time I ever have a problem is if I move something (mv doesn’t retain permissions) and forget to change the group afterwards. Which is why most of the time I do an archive copy and then delete the original (cp -a path/filename newpath/ && rm path/filename for a file or cp -ar path/dirname newpath/ && rm -r path/dirname for a directory).

Yes, my directories and files have a mix of owners, but I can tell which program generated them that way, and they all have the same group. and if I move something and forget about it, I can quickly find files that have a group other than mediamgr. (Of course, if it is really that important to you, you can always set a cron job (as root) to periodically change all of the directories and files to a specific owner:root and permission level combination.)

Hope this helps…or I guess, hope this helps your understanding of what is going on, why, and gives you a little piece of mind.

Oh, and you can of course run all of them as the same user and the same group as you mentioned, even your own user/group, but i don’t recommend it. It can actually increase the chances of a problem occurring, or rather of a single problem causing more problems, since the programs will share home directories and such. ← if each is in their own docker container, this shouldn’t be a problem. just remember to change the permissions of all of the the files/directories and be aware that updates can sometimes change the users and groups in the startup files if you haven’t crafted the init/systemd/whatever other type of start up file overrides correctly.

system · April 6, 2019, 5:03am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.