Not syncing files due to "creative" permissions

JS761 · January 2, 2021, 12:44am

I’m having trouble syncing some files due to “creative” permissions. The permissions are not absolutely required, but I want to see if I can make syncthing work with these permissions.

We are using these permissions with Pass: The Standard Unix Password Manager to share passwords with each other. Our idea is to let anyone save a password to anyone else’s pass folder. A user can delete the file they shared, but cannot see what others have shared, nor delete those other files.

As I said, this is not essential, it’s just an exercise. In our small group, everyone is trusted. Also, the shared files are individually encrypted by pass. This is a learning exercise for me.

We have syncthing set up such that it uses our Linux filesystem permissions and ACL’s. (Syncthing is set to ignore permissions.)

As an example on peter’s computer, we have this directory structure. Again, the idea is that peter has full permissions to his own folder, and can write to any other user’s folder.

# ls pass
total 0
drwxrws--x+ 1 peter   everyone         146 Dec 31 23:06 .
drwxrws--x+ 1 peter   everyone          44 Dec 31 23:13 ..
d-wxrws-wt+ 1 root    joe         0 Dec 31 23:06 joe
d-wxrws-wt+ 1 root    carol       0 Dec 31 23:06 carol
d-wxrws-wt+ 1 root    tom         0 Dec 31 23:06 tom
d-wxrws-wt+ 1 root    steve      38 Jan  1 00:44 steve
d-wxrws-wt+ 1 root    felicity    0 Dec 31 23:06 felicity
d-wxrws-wt+ 1 root    sam         0 Dec 31 23:06 sam
d-wxrws-wt+ 1 root    jessica     0 Dec 31 23:06 jessica
d-wxrws-wt+ 1 root    mary        0 Dec 31 23:06 mary
d-wxrws-wt+ 1 root    nate        0 Dec 31 23:06 nate
d-wxrws-wt+ 1 root    peter       0 Dec 31 23:06 peter

Here are the ACL’s:

# getfacl pass/peter
# file: pass/peter
# owner: root
# group: peter
# flags: -st
user::-wx
group::rwx
group:everyone:-wx
group:syncproc:rwx
mask::rwx
other::-wx
default:user::-wx
default:user:root:rwx
default:group::rwx
default:group:peter:rwx
default:group:syncproc:rwx
default:mask::rwx
default:other::-wx

Syncthing starts as a system service (because I want it to run at startup even if the user has no active session). The Arch Linux package includes /usr/lib/systemd/system/syncthing@.service. I added a Group specification for the syncproc group, which has rwx permissions for all the pass files and directories shown above.

[Unit]
Description=Syncthing - Open Source Continuous File Synchronization for %I
Documentation=man:syncthing(1)
After=network.target

[Service]
User=%i
Group=syncproc
ExecStart=/usr/bin/syncthing -no-browser -no-restart -logflags=0
Restart=on-failure
RestartSec=5
SuccessExitStatus=3 4
RestartForceExitStatus=3 4

# Hardening
ProtectSystem=full
PrivateTmp=true
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

This unit from from: Syncthing - ArchWiki

Peter starts it with:

syncthing@peter.service

Syncthing doesn’t sync any files in the pass directory tree. It also does not show any errors. The log shows:

2020-12-31 23:13:59 Completed initial scan of sendreceive folder "pass" (pass).

After that, there are no log entries for this folder, even when files are changed. All other folders are shared correctly.

Does anyone have any ideas I can try? Thank you.

calmh · January 2, 2021, 7:52am

I would check that the Syncthing process is running as the expected user and group, then open a shell with the same credentials. If you can ls the directories and read the files then so should Syncthing.

JS761 · January 2, 2021, 3:06pm

OK, it helps to know that. What I tried so far:

pgrep syncthing

It returns two process id’s. They look like this:

# ps -fw -p 26215
UID          PID    PPID  C STIME TTY          TIME CMD
peter      26215       1  0  2020 ?        00:00:04 /usr/bin/syncthing -no-browser -no-restart -logflags=0 -home=/home/peter/.config

# ps -fw -p 26224
UID          PID    PPID  C STIME TTY          TIME CMD
peter      26224   26215  0  2020 ?        00:01:48 /usr/bin/syncthing -no-browser -no-restart -logflags=0 -home=/home/peter/.config

As you see, both are running as the desired user on account of being started with syncthing@peter.service.

For both of those processes I check the groups with:

grep '^Groups' /proc/$procid/status

Both process id’s include the desired syncproc group.

Then I change to the user with sudo -u peter. Due to permissions, and by design, peter cannot read the contents of all directories. However, then I add the syncproc group and give the passwd like this:

newgrp syncproc

Now, I am running the same user and group as the syncthing process that was launched with the systemd unit. And I can read all the files, as verified by tree -a .. (‘ls’ shows the files too.)

However, syncthing continues to not sync the files in that directory tree. It is not reporting any errors. In the GUI, it shows 11 directories and 0 files, both for “local state” and “global state”. Rescanning produces no errors and the timestamp for “last scan” is updated, but none of the files (new or existing) are recognized. I also verified that the files are not synced to other devices. All devices show 0 files in this folder, but all show the folder as “up to date”.

Can you think of any other tests I can try?

calmh · January 2, 2021, 4:06pm

I don’t know. If it were a permissions error I’d expect that to be visible in the GUI and logs.

JS761 · January 2, 2021, 8:03pm

In case it interests you, I did a bit of experimenting. When I give more permissive permissions, Syncthing finds the files. Therefore, it appears that Syncthing requires more permissions than ls and tree on Linux. More specifically, it may be inotify (not strictly Syncthing) that needs the extra permissions because Syncthing appears to simply not know about the file changes.

system · February 1, 2021, 8:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.