Migrate Syncthing from user app to system service

An OpenBSD server with Syncthing. Got started by running Syncthing as a regular user, configured everything, synced folders, all good.
Now, I noticed what I missed: I’d rather run Syncthing as _syncthing as a system service via the included RC script and not as <username> as a user’s application:
# rcctl enable syncthing and # rcctl start syncthing instead of $ syncthing

I tried: moving Syncthing config from user’s to system location and adjusting files permissions, this way:

cp -rv /home/<username>/.config/syncthing/ /var/syncthing/.config/  # copy config
chown -R _syncthing /var/syncthing/.config/syncthing  # make it belong to _syncthing
usermod -G <username> _syncthing  # add _syncthing to group <username>
chmod -R g+w /data/syncthing  # grant _syncthing writing access in storage directory via group permission

Still getting permission denied in the WebUI.

Can you post a screenshot or more detailed info about where exactly you see “permission denied”?

An excerpt from log:

2022-06-19 12:58:39 Puller (folder "dotfiles" (ymwtw-jbsuw), item "home/.config/qutebrowser/autoconfig.yml"): syncing: creating parent dir: mkdir /opt/.dotfiles/home/.config/qutebrowser: permission denied
2022-06-19 12:58:39 Puller (folder "dotfiles" (ymwtw-jbsuw), item "home/.config/qutebrowser/qsettings/QtProject.conf"): syncing: creating parent dir: mkdir /opt/.dotfiles/home/.config/qutebrowser: permission denied
2022-06-19 12:58:39 Puller (folder "dotfiles" (ymwtw-jbsuw), item "home/.tmux.conf"): syncing: opening temp file: open /opt/.dotfiles/home/.syncthing..tmux.conf.tmp: permission denied
2022-06-19 12:58:39 Puller (folder "dotfiles" (ymwtw-jbsuw), item "home/.config/qutebrowser"): syncing: creating directory: mkdir /opt/.dotfiles/home/.config/qutebrowser: permission denied
2022-06-19 12:58:39 Puller (folder "dotfiles" (ymwtw-jbsuw), item "home/.config/qutebrowser/greasemonkey"): syncing: creating parent dir: mkdir /opt/.dotfiles/home/.config/qutebrowser: permission denied
2022-06-19 12:58:39 Puller (folder "dotfiles" (ymwtw-jbsuw), item "home/.config/qutebrowser/bookmarks/urls"): syncing: creating parent dir: mkdir /opt/.dotfiles/home/.config/qutebrowser: permission denied
2022-06-19 12:58:39 Puller (folder "dotfiles" (ymwtw-jbsuw), item "home/.config/qutebrowser/config.py"): syncing: creating parent dir: mkdir /opt/.dotfiles/home/.config/qutebrowser: permission denied
2022-06-19 12:58:39 Puller (folder "dotfiles" (ymwtw-jbsuw), item "home/.config/fish/fish_variables"): syncing: opening temp file: lstat /opt/.dotfiles/home/.config/fish/.syncthing.fish_variables.tmp: permission denied
2022-06-19 12:58:39 Puller (folder "dotfiles" (ymwtw-jbsuw), item "home/.config/qutebrowser/bookmarks"): syncing: creating parent dir: mkdir /opt/.dotfiles/home/.config/qutebrowser: permission denied
2022-06-19 12:58:39 Puller (folder "dotfiles" (ymwtw-jbsuw), item "home/.config/qutebrowser/qsettings"): syncing: creating parent dir: mkdir /opt/.dotfiles/home/.config/qutebrowser: permission denied
2022-06-19 12:58:39 Puller (folder "dotfiles" (ymwtw-jbsuw), item "home/.config/qutebrowser/quickmarks"): syncing: creating parent dir: mkdir /opt/.dotfiles/home/.config/qutebrowser: permission denied
2022-06-19 12:58:39 Puller (folder "dotfiles" (ymwtw-jbsuw), item "home/.config/sxhkd/sxhkdrc"): syncing: opening temp file: open /opt/.dotfiles/home/.config/sxhkd/.syncthing.sxhkdrc.tmp: permission denied

Making a directory belong to Syncthing:

chown -R _syncthing:_syncthing /data/syncthing/salasana

and restarting Syncthing resolves the permission denied, but then my files would not belong to my regular user on that machine, which is an inconvenience.

So the actual migration of config and database for Syncthing appears to have worked. The problem is with the actual data files. You will need to figure out how to manage the permissions (probably using system user groups) so that your regular user as well as the one running Syncthing can both access the files and directories. The SGID attribute might be part of the solution, which makes files created in a directory group-owned by the same group as the parent directory. I don’t know how one could change the owning user though, for files created by Syncthing. Those will always belong to the user it runs as.

1 Like

Actually there is an option to enforce ownership of newly created files to match the directory owner: Syncthing Configuration — Syncthing v1.20.2 documentation

Maybe that could help in your case as well.

2 Likes