so our setup at work is we have one “always-on” st-client (let’s call him Seymour) making sure everyone has the most recent version of a file at all times. Now Seymour is misbehaving, but only in one of the synced folders.
Whenever someone renames or removes a file in said folder, all other participants sync it correctly, but Seymour only creates the new copy (if it’s a rename) on his end. He does not delete anything, displays “Out of Sync” and “Failed Items: permission denied” for those files and stays there until we delete those files manually on his end.
Both the files and all the directories in the directory in question have permissions 660 and 770 respectively, Seymour is even running a script making sure this is always the case. All participants are on version 1.3.2 and all of Seymour’s other folders sync without trouble, no matter what.
I’m almost certain this is not a bug but I would really appreciate a hint where to look for the source of the problem, since I haven’t been able to find any differences in the st-folders configurations…
We’re running Linux Mint 19.2 (Tina) with Cinnamon, 64Bit. Both on Seymour and other machines. Oh, and the source directory’s permissions are in order as well (makes sense, otherwise the conflict file couldn’t get written to the disk in the first place):
Yeah sorry, I am out of ideas then: Looks good and Mint isn’t on “my list of systems notoriously doing arcane stuff”.
Actually one more thing (doesn’t really fit, but when out of ideas anything goes): Hardening: Do you use snap (or anything else that isn’t apt)? And if not, try disabling the hardening options in the systemd service file.
While we’re using apt exclusively for package-management, as far as I understand the hardening options only take effect if the service is run as root. This is not the case in this instance. Am I getting something wrong? If I am: I still don’t feel comfortable turning off security-measures without knowing exactly what they do. Could you elaborate on your suggestion?
Thanks again and sorry for the long delay, I really needed those long holidays
Actually looking at your path (/data/gs/kfm) I suspect systemd hardening to be the problem, as I think /data is non-standard (whatever that exactly means in general, in this context I suspect “something that systemd hardening doesn’t whitelist”).
The systemd hardening options apply not just when running as root. I do not know much about them, if you want to know a good place to start is the issue/PR adding it: https://github.com/syncthing/syncthing/pull/5351
And incidentally I just discovered that I ran without them on my system, as I have a drop-in replacement unit file in /etc (bad idea, use *.d dirs). When I removed that syncthing fails to start because of the private tmp stuff (I put my database into memory). Turns out I either need to also enable PrivateTmp for the unit that syncs the db to memory and join them together or disable it (I did the latter).
Alright, so I looked into those hardening options. I don’t think they’re to blame. For example ProtectSystem set to “full” explicitly only protects /usr, /boot and /etc from writing operations. I gave it a go anyway and deactivated all of them - to no avail.
If the fact that /data is not a standard-folder was responsible, that would mean all other syncthing-folders on the machine should show the same, faulty behavior (they’re all below /data) but they don’t.