ACLs and Hard links

First thank you for an awesome solution. I’ve been using syncthing personally for ~ 1 year.

I was looking at if we could use as part of our solution and I currently see a couple of gaps around the lack of ACLs and Hardlink replication per supporthttps://docs.syncthing.net/users/faq.html. Any estimates on the effort to support hardlinks and ACLs? If small enough I may be able offer some help on these features.

One complication for both is that they are very platform dependent. Supporting ACLs Linux->Linux or Windows->Windows should be doable, but more difficult when passing through Linux->Windows->Android. Likewise for hard links.

I think the effort would be significant, and honestly not worth it.

Thanks for the quick reply.

Looking at this as a glass half full, where would be a good place for us to look at the task of supporting ACLs for Linux->Linux and Windows->Windows?

There are ~3 significant parts to it - APIs to get the ACL info you need, APIs to set the ACL info you need, and some way to store it internally. Look for Go packages for the first two (a godoc search wasn’t immediately fruitful…) or worst case look to implement something yourself on top of the relevant syscalls or whatever. For the third part, it’s mostly a matter of deciding on an appropriate data structure and adding it to the protocol.FileInfo type.

(Then there’s a hundred minor details left, but that should be the first 90% of the work anyway.)

Also keep in mind that we’re currently advocating not running Syncthing as a privileged user, and what parts of all of the above can and cannot happen in that context. That is, can a full ACL always be set/reset by the current user? (Maybe it always can, I just don’t know.) If not, how do you handle partial failure etc.

Agreed: this is a huge can of worms.

I’d perhaps be in favour of tracking some simple flags (if we don’t do this already), e.g. “executable”, “writeable by the owner”, etc, which can be translated into suitable ACLs for each platform in a way that doesn’t require admin privileges. While we still have to muck about with platform-specific APIs, at least we have an approach to cross-platform ACLs and avoiding trying to set things that the user doesn’t have permission to set.

Thanks for the pointers and guidance.