Unable to Get Write Permissions Working for Emby

I’ve had an Emby server working quite well on my Manjaro system for a while now, apart from some odd behaviour with the backup plugin which I worked around by using a shell script to massage the permissions.

I’m now looking to get write permissions working so I can reduce the database size and move media and metadata alongside my files.

I cannot seem to get Emby to write to anything though.

My media is in various locations, all are set to 777 permissions under me:me user and group. These are all stored on local HDDs - all internal and ext4.

I’ve looked at articles on here that seem related, which talk about Dynamic User’s and Supplementary Groups - This is really confusing - particularly as I couldn’t initially find the service in systemd.

I’m using the emby-server package from the Official repositories.

My installation is located in var/lib/emby

I have followed the instructions in the first post link but have had no success. I created the write-permissions.conf as follows:

[Service]
SupplementaryGroups=shared
ReadWritePaths= /files/Video/Movies /files/Video/TV

I then chownd my Movies directory as an initial test from me:me to me:shared using sudo chown -R me:shared *

I have been referencing the following Arch Wiki article for guidance: Emby - ArchWiki

I’m a bit confused as to the relevant emby-server.service file - I’ve located ones at the following locations, but I’m assuming the third one is the one that’s actually relevant:

/run/systemd/propagate/emby-server.service
/etc/systemd/system/multi-user.target.wants/emby-server.service
/usr/lib/systemd/emby-server.service

This gives me this content:

[Unit]
Description=Emby brings together your videos, music, photos, and live television.
After=network.target

[Service]
User=emby
Group=emby
SupplementaryGroups=render
SupplementaryGroups=video
DynamicUser=true
StateDirectory=emby
ReadWritePaths=-/dev/dri

EnvironmentFile=/etc/conf.d/emby-server
ExecStart=/usr/bin/emby-server
RestartForceExitStatus=3

AmbientCapabilities=
CapabilityBoundingSet=
LockPersonality=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true

[Install]
WantedBy=multi-user.target

The syntax for the .conf file was not what I was expecting. My final change was to do this:

[Service]
SupplementaryGroups=shared
ReadWritePaths=/files/Video/Movies
ReadWritePaths=/files/Video/TV
UMask=0002

I think that having seperate repeated entries for SupplementaryGroups and ReadWritePaths was the problem - This isn’t noted in the Arch Wiki article or anywhere else as all the examples use a single directory path.

FOR MORE INFO

I found that either using setfacl or chmod g+s for getting parent directory permissions setting was a lost cause. Others may have better mileage, but in the end I just folded and linked the service up to my own group as well:

[Service]
SupplementaryGroups=shared
SupplementaryGroups=me
ReadWritePaths=/files/Video/Movies
ReadWritePaths=/files/Video/TV
UMask=0002

Probably NOT the best option security wise, but by this point it seemed the only option that wouldn’t necessitate me messing about setting permissions every time I added something new to the media folder.