Jellyfin Forum
Web UI files Ownership? - Printable Version

+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: General Questions (https://forum.jellyfin.org/f-general-questions)
+--- Thread: Web UI files Ownership? (/t-web-ui-files-ownership)



Web UI files Ownership? - alphamike-1612 - 2024-01-06

Hello,

TL;DR - Can the web-ui files located at /usr/share/jellyfin/web-ui be owned by user jellyfin, without creating a vulnerability? (Default ownership is root)

I have tried searching the official docs and forums and reddit but couldnt find what I was looking for.

System - Debian 12 Bookworm x64.

I have installed jellyfin via the manual method (add repo, install jellyfin with sudo apt install). In this case, user jellyfin has been created who owns the log files at /var/log/jellyfin and the json/xml files at etc/jellyfin.

However, the web-ui at /usr/share/jellyfin is owned by root. (The folder jellyfin itself is also owned by root.) This is not a problem in day to day use, but whenever I use plugins that would like to modify the index.html file inside this folder, they complain and I am required to manually enter the values inside the file.

I am tempted to change ownership of this folder also to the user jellyfin but I am wondering if there is a reason behind why the automatic install chose to keep this directory under root control?

In other words, by changing the ownership am I inviting trouble for myself?

If it makes a difference to security, my interface is accessible remotely via a reverse proxy. In other words, this means that my jellyfin cannot differentiate between a local and a remote connection since according to it, all connections originate from beyond the reverse proxy.

Thank you,

alphamike-1612


RE: Web UI files Ownership? - TheDreadPirate - 2024-01-06

Do not change ownership of the web folder. Even if you change the permissions, you would need to manually change modify those files for certain plugins anyway since the automated plugin install process just can't do that kind of task regardless of permissions. I'm assuming this is in regards to something like Jellyscrub or intro skipper.