Files "created" by Syncthing ignore UMask (.stfolder and .stversions)

xitoshi · August 3, 2024, 12:27am

I am using Syncthing as a systemd service on a Raspberry Pi with Raspbian. I have set it up so it’s run by a syncthing user, but to keep access to all users in the group I’ve set the UMask parameter to 0002 in the syncthing@syncthing.service and for good measure in the .bash_rc, .bash_pofile and .profile files for that user.

Setting umask in the service file works correctly for synchronization, but Syncthing seems to ignore it when the files are “created” by Syncthing itself and not synchronized. I’ve noticed this happening both in .stfolder and subfiles (when a new synchronization folder is created) and the .stversions and subfolders (only directories, not files).

E.g.: Creating a new, still unshared folder through the web GUI:

pi@raspberrypi:/media/data/Sync $ ls TEST/ -ld
drwxrwsr-x 3 syncthing drive-users 4096 Aug  3 00:10 TEST/
pi@raspberrypi:/media/data/Sync $ ls TEST/ -lAR
TEST/:
total 4
drwxr-sr-x 2 syncthing drive-users 4096 Aug  3 00:10 .stfolder

TEST/.stfolder:
total 4
-rw-r--r-- 1 syncthing drive-users 117 Aug  3 00:10 syncthing-folder-ccaee1.txt

I use “Simple” file versioning, and when I remove files the .stversions folder and any subfolders are created without group writing permissions, seemingly ignoring the umask. The files keep the writing permission, but without the folder writing permission I can’t delete them.

E.g.: Note that in this folder I have turned on “Ignore Permissions”. Also, in this case .stfolder has group write permission set manually.

pi@raspberrypi:/media/data/Sync/Linux-Documents $ ls -lAR
.:
total 8
drwxrwsr-x 2 syncthing drive-users 4096 Aug  2 23:54 'New Folder'
drwxrwsr-x 2 syncthing drive-users 4096 May  7 22:56  .stfolder

'./New Folder':
total 4
-rw-rw-r-- 1 syncthing drive-users 2 Aug  2 23:54 'Text File.txt'

./.stfolder:
total 0
pi@raspberrypi:/media/data/Sync/Linux-Documents $ ls -lAR
.:
total 8
drwxrwsr-x 2 syncthing drive-users 4096 May  7 22:56 .stfolder
drwxr-sr-x 3 syncthing drive-users 4096 Aug  2 23:55 .stversions

./.stfolder:
total 0

./.stversions:
total 4
drwxr-sr-x 2 syncthing drive-users 4096 Aug  2 23:55 'New Folder'

'./.stversions/New Folder':
total 4
-rw-rw-r-- 1 syncthing drive-users 2 Aug  2 23:54 'Text File~20240802-235507.txt'
pi@raspberrypi:/media/data/Sync/Linux-Documents $ rm .stversions/New\ Folder/Text\ File~20240802-235507.txt
rm: cannot remove '.stversions/New Folder/Text File~20240802-235507.txt': Permission denied

On the forum I’ve only found one similar topic, but it was unhelpful.

For more information, here is my service file:

$ cat /lib/systemd/system/syncthing@syncthing.service 
[Unit]
Description=Syncthing - Open Source Continuous File Synchronization for %I
Documentation=man:syncthing(1)
After=network.target

[Service]
User=%i
ExecStart=/usr/bin/syncthing -no-browser -no-restart -logflags=0
Restart=on-failure
SuccessExitStatus=3 4
RestartForceExitStatus=3 4
UMask=0002

# Hardening
ProtectSystem=full
PrivateTmp=true
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

calmh · August 3, 2024, 8:17am

You’re right, mkdirs in the versioner code use 0755 as the base permissions, so umask won’t help there (to get group write). Please feel free to file an issue on this, and perhaps a fix

Probably the real fix would be to grab the permissions from the corresponding directory in the synced folder.

xitoshi · August 4, 2024, 3:54pm

Thanks for your message! I have opened the issue, but unfortunately I don’t know how to fix it.

gadget · August 6, 2024, 3:07am

What filesystem type is mounted at /media/data/Sync?

system · September 5, 2024, 3:07am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.