Using Immich in combination with NAS permissions
from teawrecks@sopuli.xyz to selfhosted@lemmy.world on 20 Jan 15:43
https://sopuli.xyz/post/39912776

Hi all, I’ll cut to the point: is anyone out there running a NAS with multiple users, and each user has their own media folders and files that belong to them, with share access to those files (samba), and separately is also running an instance of Immich (as its own user) that in some way has access to these files and folders, AND is able to upload new files, while maintaining the NAS user ownership/permissions on those files?

In my current setup, each user’s media files have permissions user:media 740 (so the “media” group has read access). The Immich user is in the media group. I then have the NAS files mapped as read-only, and added in Immich as external storage per user. This means I’m currently not uploading anything. (If I do, they get stored separately in Immich, not merged with the rest of the media files).

I could instead make the dir writable by the media group, map each NAS user’s media directories directly as their Immich upload location (and fix up the Immich file naming/organization so that it matches), but I would still have the problem that it would create new files as the Immich user on the NAS, not the specific user.

Is there a clever permissions solution here I’m missing, or is it a lost cause to try and have both coherent per-user permissions on the NAS/samba share, AND use Immich? I don’t really want a script that runs and chmods everything to user:media periodically. Feels hacky, and then Immich isn’t able to change/delete any files, but that might be the only solution…

#selfhosted

threaded - newest

HybridSarcasm@lemmy.world on 20 Jan 16:34 next collapse

Set the Immich instance to run as the UID that owns the media files?

teawrecks@sopuli.xyz on 20 Jan 16:40 collapse

If I had one user that would work, but I have multiple.

diecknet@discuss.tchncs.de on 20 Jan 23:07 collapse

You could run an individual Immich instance per user. Not sure if it’s feasible or smart

teawrecks@sopuli.xyz on 20 Jan 23:08 collapse

Then I can’t share images and albums through Immich :/

folekaule@lemmy.world on 20 Jan 17:32 next collapse

I can only think of two ways if the top of my head:

  • Immich runs as root and sets ownership (sounds unsafe)
  • Immich is the owner of all the files, but each user has a specific group (bobs-photos) of which Immich and the user are members. Then use the setgid bit to set group ownership and make it g+rwx.

Both sound pretty brittle to me, though, and I haven’t tested this specifically.

pairwise@lemmy.dbzer0.com on 20 Jan 18:10 next collapse

You can configure samba to handle the permissions, but immich will need to connect to the user’s share using their password (no ideal)

In smb.conf for each user’s share

[user_media]
   path = /path/to/user/media
   valid users = username, immich
   force user = username  # This makes all files.  appear as owned by the user
   force group = media
   create mask = 0660
   directory mask = 0770

Alternatively you can use setguid with your media group:

chmod g+s /path/to/media/dirs
chown -R :media /path/to/media/dirs
chmod 2770 /path/to/media/dirs. (2 = SetGID, 770 = rwx for user and group)
  • Any new file created by Immich will automatically belong to the media group
  • The SetGID bit ensures files inherit the parent directory’s group
  • All users (including Immich) can read/write files as long as they’re in the media group
  • Individual users still “own” their files (UID stays as the original user when they upload via Samba)
teawrecks@sopuli.xyz on 20 Jan 22:46 collapse

Thanks, those are some tricks I didn’t know about.

frongt@lemmy.zip on 20 Jan 20:04 next collapse

Generally, accessing files both as a share and through an app is not well supported. If Immich doesn’t support setting ownership, you might be able to patch it to add the feature.

Otherwise, I’d probably stick to the user-group model you have currently, and do the chown/chmod. Immich should be able to fully manage files as long as it has the group permissions necessary (g+rw).

PeriodicallyPedantic@lemmy.ca on 20 Jan 21:03 next collapse

Preface

I got excited and didn’t properly read your post before I wrote out a huge reply. I thought your problem was the per-user mapping to different locations on your NAS or to different shares, but its specifically file ownership.
whoops.

Leaving this here anyways, in case someone finds it helpful.
I kinda address file ownership at the end, but I don’t think its really what you were looking for because it depends on every user having their own share.

Prerequisites

  1. you need to be using Storage Templates.
  2. you’re willing to change the storage labels for all existing users
    • if not, then change the storage labels for all users to something temporary and run the migration job before you begin. You’ll change it back later.
  3. you’re willing to switch to NFS instead of samba, where each user gets their own share.
    • might not actually be necessary, but its what I use, so YMMV

Configuration

Volumes

In docker, you’ll need to set up an external NFS volume for every user. I use portainer to manage my docker stacks, and its pretty easy to set up NFS volumes. I’m not sure how to do it with raw docker, but I dont think its complicated.

Compose

in your docker compose files, include something like this

services:
  immich-server:
    # ...
    volumes:
      - ${UPLOAD_LOCATION}:/data
      - /etc/localtime:/etc/localtime:ro
     - type: volume
        source: user1-share
        target: /data/library/user1-intended-storage-label
        volume:
          subpath: path/to/photos/in/user1/share
    - type: volume
        source: user2-share
        target: /data/library/user2-intended-storage-label
        volume:
          subpath: path/to/photos/in/user2/share
    # and so on for every user
  # ...

volumes:
  model-cache:
  user1-share:
    external: true
  user2-share
teawrecks@sopuli.xyz on 20 Jan 22:44 next collapse

Thanks, yeah maybe not quite what I was asking for, but it does give me some stuff I didn’t know about that I could consider.

non_burglar@lemmy.world on 21 Jan 06:02 collapse

Squashing per-user is a blanket measure intended to default “public” users into a default access permission.

It is usable according to your layout, but this is effectively logical control preventing users from affecting files that aren’t their own.

And if that is the goal, you might as well set this up as library access through immich.

PeriodicallyPedantic@lemmy.ca on 21 Jan 07:59 collapse

Library access won’t allow upload, this will.

My knowledge here isn’t super deep, but it seems like you can do mapping per-share-per-ip, which means you can say “all file access coming from the immich host to this share will act as this user” which I think is fine if that share belongs to that user, and you don’t have anything else coming from that host to that share which you want to act as a different user. Which are very big caveats.

non_burglar@lemmy.world on 21 Jan 08:38 collapse

Library access won’t allow upload, this will.

This isn’t right. docs.immich.app/administration/user-management/

I understand following op’s pattern of wanting to set controls on underlying storage together with a share, but simply using immich’s built-in storage labels is much easier.

Plus, each user can be assigned an NFS share to their individual files separate from immich’s access requirements for storage. There is no need to make this a worse hodge-podge than op has already made it.

PeriodicallyPedantic@lemmy.ca on 21 Jan 10:12 collapse

Sorry I misread when you said “library” for some reason I thought you meant “external library”

The problem that I’m trying to solve and I think OP is also trying to solve, is that they want the files to be on their NAS because it is high capacity, redundant, and backed up, but many users have access to the NAS, so they cannot rely on immich alone to provide access permissions, they need access permissions on the files themselves.

I solved this by having a separate share for every user, and then mounting that user’s share on their library (storage label).
It sounds like OP wants a single share, so having correct file ownership is important to restrict file access to the correct users who are viewing the filesystem outside of immich.

Not sure what you mean by your last paragraph, how do you assign a share to individual files (assume you mean directories) outside of immich’s need for storage?

non_burglar@lemmy.world on 21 Jan 11:47 collapse

Ah, gotchu. Carry on.

Decronym@lemmy.decronym.xyz on 20 Jan 21:05 next collapse

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters
IP Internet Protocol
NAS Network-Attached Storage
NFS Network File System, a Unix-based file-sharing protocol known for performance and efficiency

3 acronyms in this thread; the most compressed thread commented on today has 6 acronyms.

[Thread #1013 for this comm, first seen 21st Jan 2026, 05:05] [FAQ] [Full list] [Contact] [Source code]

uncommoncorvid@piefed.blahaj.zone on 20 Jan 23:51 collapse

holy shit this bot is a godsend for all those who don’t know what half these acronyms are

custard_swollower@lemmy.world on 21 Jan 04:20 collapse

There probably is a clever way that you could do it, but clever ways are easy to overstep, misconfigure and can be unreliable long-term.