You need to run the process with additional capabilities. Syncthing does not shell out to chown, so you can’t tell it to run sudo as it’s not executing other programs to change permissions.
Read up on cap_dac_override, thats the capability you need to grant to syncthing process.
If I’m reading it correctly, I would just need to give /usr/local/bin/syncthing CAP_CHOWN capability. I have already added the Syncthing user to the admin group so it has full rwx permissions for all of the relevant directories and files. It just needs to be able to run CHOWN.
chmod and chown are different things. Permissions have no meaning for chown.
I understand that, chmod sets permisions, chown sets owners & groups. To run chown, you have to be root or sudo. Syncthing just needs the ability to run chown, that’s what is failing.
edit: The more I look into it, it does not look like FreeBSD (XigmaNAS) has support for setcap.
Right, in which case you won’t be able to use the feature unless you run syncthing as root, which I heavily advise against.
Is there anyway to make Syncthing run call a script instead of directly running chown? I could put the sudo chown in the script and then feed the rest of the command when it’s executed.
No, sorry.
Isn’t the best way forward here just to establish some patterns and utils for a collection of read-only syncs? i.e. collection/me is “my read/write sync” and collection/{otherA,otherB,…} is the other users.
I’m not sure what people are after but this would allow a typical “lab NFS” setup. I think you can do this now but I would have to do some work to figure out how to automate and save the config/keys to make it work for a large number of users.