I’m having trouble syncing some files due to “creative” permissions. The permissions are not absolutely required, but I want to see if I can make syncthing work with these permissions.
We are using these permissions with Pass: The Standard Unix Password Manager to share passwords with each other. Our idea is to let anyone save a password to anyone else’s pass folder. A user can delete the file they shared, but cannot see what others have shared, nor delete those other files.
As I said, this is not essential, it’s just an exercise. In our small group, everyone is trusted. Also, the shared files are individually encrypted by
pass. This is a learning exercise for me.
We have syncthing set up such that it uses our Linux filesystem permissions and ACL’s. (Syncthing is set to ignore permissions.)
As an example on peter’s computer, we have this directory structure. Again, the idea is that peter has full permissions to his own folder, and can write to any other user’s folder.
# ls pass total 0 drwxrws--x+ 1 peter everyone 146 Dec 31 23:06 . drwxrws--x+ 1 peter everyone 44 Dec 31 23:13 .. d-wxrws-wt+ 1 root joe 0 Dec 31 23:06 joe d-wxrws-wt+ 1 root carol 0 Dec 31 23:06 carol d-wxrws-wt+ 1 root tom 0 Dec 31 23:06 tom d-wxrws-wt+ 1 root steve 38 Jan 1 00:44 steve d-wxrws-wt+ 1 root felicity 0 Dec 31 23:06 felicity d-wxrws-wt+ 1 root sam 0 Dec 31 23:06 sam d-wxrws-wt+ 1 root jessica 0 Dec 31 23:06 jessica d-wxrws-wt+ 1 root mary 0 Dec 31 23:06 mary d-wxrws-wt+ 1 root nate 0 Dec 31 23:06 nate d-wxrws-wt+ 1 root peter 0 Dec 31 23:06 peter
Here are the ACL’s:
# getfacl pass/peter # file: pass/peter # owner: root # group: peter # flags: -st user::-wx group::rwx group:everyone:-wx group:syncproc:rwx mask::rwx other::-wx default:user::-wx default:user:root:rwx default:group::rwx default:group:peter:rwx default:group:syncproc:rwx default:mask::rwx default:other::-wx
Syncthing starts as a system service (because I want it to run at startup even if the user has no active session). The Arch Linux package includes
/usr/lib/systemd/system/syncthing@.service. I added a Group specification for the
syncproc group, which has rwx permissions for all the
pass files and directories shown above.
[Unit] Description=Syncthing - Open Source Continuous File Synchronization for %I Documentation=man:syncthing(1) After=network.target [Service] User=%i Group=syncproc ExecStart=/usr/bin/syncthing -no-browser -no-restart -logflags=0 Restart=on-failure RestartSec=5 SuccessExitStatus=3 4 RestartForceExitStatus=3 4 # Hardening ProtectSystem=full PrivateTmp=true SystemCallArchitectures=native MemoryDenyWriteExecute=true NoNewPrivileges=true [Install] WantedBy=multi-user.target
This unit from from: Syncthing - ArchWiki
Peter starts it with:
Syncthing doesn’t sync any files in the pass directory tree. It also does not show any errors. The log shows:
2020-12-31 23:13:59 Completed initial scan of sendreceive folder "pass" (pass).
After that, there are no log entries for this folder, even when files are changed. All other folders are shared correctly.
Does anyone have any ideas I can try? Thank you.