WebUI Error Deleting Media

[FortySixnTwo]

Hi,
So I'm getting the error mentioned in the title when attempting to delete media via the WebUI. I've attached the logs below.
SSH'd into the VM, and using su -u jellyfin to impersonate Jellyfin's user (Which is part of the group 'media'), I see the following permissions:

Code:

drwxrwxr-x 2 nobody media      4096 Oct  8 09:45  [Item Folder Name]
-rwxrwxr-x 1 nobody media 1500774400 Oct  5  2021 [Item File Name]

I can create, modify and delete files in the Film & TV directories using vi and rm when impersonating the jellyfin user, so I'm at a bit of a loss as to why the WebUI isn't able to. The only difference between the media files and a .txt created this way is that it's owned by the jellyfin user instead of nobody.

Code:

[2024-01-25 14:39:38.507 +00:00] [INF] Removing item, Type: "Movie", Name: " [ITEM] ", Path: "/shared/media/Film/[ITEM]", Id: a8cdbac4-88bb-b067-a025-4a926b1a3738
[2024-01-25 14:39:38.512 +00:00] [INF] Deleting item path, Type: "Movie", Name: " [ITEM]", Path: "/shared/media/Film/ [ITEM] ", Id: a8cdbac4-88bb-b067-a025-4a926b1a3738
[2024-01-25 14:39:38.515 +00:00] [ERR] Error processing request: "Access to the path '/shared/media/Film/ [ITEM] ' is denied". URL "DELETE" "/Items/a8cdbac488bbb067a0254a926b1a3738".

[tmsrxzar]

"The only difference between the media files and a .txt created this way is that it's owned by the jellyfin user instead of nobody."

then make the owner of the files jellyfin and recheck, seems to be an easy test
if it works; you know the problem and how to fix it

if you use google you will see that 'nobody' owned files are an issue to delete in almost all situations on linux

[FortySixnTwo]

I did google a whole bunch of stuff, have been for hours, just not the correct thing by the looks of it. Thanks for bringing my attention to the actual issue instead of the stuff I've been fixating on.

Assuming I must ensure all of my files are owned by a known user, does this not mean I'll have to map every uid I'm planning on using to every container that might need full write permissions? I know it's well beyond the question, or this forum, but at first glance it seems to me like that will significantly reduce the security all this id mapping provides.

[TheDreadPirate]

If you have a directory where multiple users need access and have similar permission needs you would need to create a group, add all those users to this new group, and then set the group permissions on the shared directory accordingly.

[FortySixnTwo]

The shared dir is owned by group 1002 and my jellyfin user is part of that group. Which I reckon is why I can create and delete my own files in those dirs but I assume nobody being the user that owns the existing files is stopping jellyfin from modifying. Haven't had time to try mapping all those other uids.

[tmsrxzar]

i wouldn't offer or accept security advice on this forum, sorry

[FortySixnTwo]

I had a chance to try your suggestion. I changed the owner of the File & Folder to be deleted in the WebUI to 1005, the jellyfin user account. I still get the 'Error deleting media' message.

This time however, the file has been deleted. So my assumption here is that the folder containing the file/folder Jellyfin needs to modify must also be owned by a known user.

I'm going to map the entire range of uids that will own any files that Jellyfin might need modify rights for, hopefully any security drawbacks from doing this are less severe than just running all my containers unpriviliged.

[FortySixnTwo]

Files & folders are now mapped to users for the Jellyfin VM.

Still can't delete any files/folder using the webui which are owned by the media group but not the jellyfin user.

I can delete the files & folders using rm, when logged in as the jellyfin user via ssh.

So back again to the WebUI being unable to delete media but the user account being able to in shell.

User is no longer nobody, group owner is 'media'.

Code:

jellyfin@jellyfin:/root$ ls -l /shared/media/Film/[ITEM]
total 1436188
-rwxrwxr-x 1 1000 media        37 Oct  5  2021 '[FileName].txt'
-rwxrwxr-x 1 1000 media        609 Oct  5  2021  [filename].NFO
-rwxrwxr-x 1 1000 media 1470642428 Oct  5  2021  [item].avi
jellyfin@jellyfin:/root$ ls -l "/shared/media/Film/[item]/[filename].txt"
-rwxrwxr-x 1 1000 media 37 Oct  5  2021 '/shared/media/Film/[item]/[filename].txt'

Files can be deleted.

Code:

jellyfin@jellyfin:/root$ rm "/shared/media/Film/[item]/[filename].txt"
jellyfin@jellyfin:/root$ ls -l "/shared/media/Film/[item]/[filename].txt"
ls: cannot access '/shared/media/Film/[item]/[filename].txt': No such file or directory

Directories can also be deleted by the 'jellyfin' user.

Code:

jellyfin@jellyfin:/root$ rm -rf /shared/media/Film/[item]/
jellyfin@jellyfin:/root$ ls -l /shared/media/Film/[item]/
ls: cannot access '/shared/media/Film/[item]/': No such file or directory

Why does the WebUI not work with just group ownership & group wrx permissions when the jellyfin user account works with just group perms? Does the WebUI use a different user for deleting things?

Edit: WebUI WILL delete a folder or directory if the parent directory belongs the 'jellyfin' account. So it looks to me like the WebUI is either ignoring the group ownership or write permissions, or it's operating under sticky bit permissions even though I don't have sticky bit set.

Edit2: Does the WebUI use the account set in jellyfin.service.d.conf, 'jellyfin' for me, for all operations? That's the only thing i can think might be an issue at this point.