Usually I run syncthing as service@root, due to the fact I hate to keep all ownerships aligned with many different directories across different platforms.
Since a few weeks, I get those nasty errors in my log:
WRN Failed to scan (path=“PATH” error=“scan: reading platform data: get xattr /SyncthingBase/PATH: Lgetxattr /SyncthingBase/PATH “user.DOSATTRIB”: permission denied” folder.label=“folder” folder.id=folder-id123 folder.type=sendonly log.pkg=model)
They actually prevent syncing. So I want to get rid of these.
I’m quite sure it’s in the sandboxing/hardening. I tried to override (systemctl edit syncthing@root) the service file with this content:
[Service]
ProtectSystem=true
ReadWritePaths=/SyncthingBase /root/.local/state/syncthing
But this was of no avail.
This worked out though:
[Service]
ProtectSystem=false
Any pointers to get it running with adequate hardening? Or just run it without any sandboxing?