Permission issues on TrueNAS Core: ST can create but not modify/delete

Hi,

I am syncing two folders (‘documents’ and ‘music’) between a Linux Mint machine (Syncthing 1.12.0) and TrueNAS Core 12.0-U2.1 (Syncthing 1.13.1). These two folders are synced to different ZFS pools on the NAS - the documents folder is kept private and the music folder is shared with others. On the NAS, syncthing runs in a jail as user ‘syncthing’ with ID 983. I have tried to replicate the relevant user and group IDs from the TrueNAS system inside the syncthing jail.

The ‘documents’ syncing works fine (in the jail, the ‘syncthing’ user with ID 983 is a member of the group ‘daniel’):

SOURCE (laptop)         drauch:drauch (IDs 1000:1000)
DEST (TrueNAS system)   daniel:daniel (IDs 1001:1001)
DEST (in the jail)      daniel:daniel (IDs 1001:1001)

The ‘music’ folder setup is similar (again, in the jail, the ‘syncthing’ user with ID 983 is a member of the group ‘allusers’):

SOURCE (laptop)         drauch:drauch (IDs 1000:1000)
DEST (TrueNAS system)   root:allusers (IDs 0:1000)
DEST (in the jail)      root:allusers (IDs 0:1000)

When I create an empty file in the music folder on the laptop, it gets synced to the NAS alright. However, when I delete it on the laptop, it is not deleted on the NAS and I get an ‘out of sync item’ with the ‘permission denied’ hint. When I modify the content of an existing file on the laptop, syncing fails as well. And corresponingly, when I rename ‘file1’ to ‘file2’ on the laptop, ‘file2’ is created alright on the NAS, but ‘file1’ is not deleted.

All of this only happens for the ‘music’ folder - the ‘documents’ folder works perfectly fine.

As an alternative, I have also changed the file and directory ownership to 983 for the music folder on the NAS, but this didn’t change the behaviour. The motivation for this was that I noted that syncthing on the NAS creates synced files with 983:allusers ownership.

Any ideas or hints are greatly appreciated! Many thanks!

Bonus question: Ideally, I would like to make Syncthing create files with ownership root:allusers in the music folder. Is this possible?

Seems like your question is better suited for your NAS forum, especially as it involves jails and such.

syncthing doesn’t do anything magical with ownership, it just runs as the user that started it so the files end up owned by that user and uses the umask available to the process which decides permissions.

I guess I’ll throw in the usual “check ACLs” in case your system has them.

The folder ownership is completely meaningless in trying to get syncthing to create files as a specific user, what matters is the user identity running syncthing.

Many thanks for the quick reply!

I have identified a minimum broken example within just the ‘music’ share, so as to rule out any TrueNAS-/jail-related differences.

I had been thinking about ACLs as well, but unfortunately they don’t seem to be the reason because they are identical in all the cases.

The more specific minimum broken example - just in the ‘music’ folder:

  • Case 1: Creating a new folder ‘music/Klassik2’ and file ‘test1’ on the laptop. Syncing works perfectly fine (also when renaming the file, changing the content and deleting it) - except for the fact that I have to trigger a rescan for the changes to be picked up (I’d be fine with that, but it’s a difference to case 2).

    nas2013# cd /mnt/zfspool/media/music/Klassik2
    
    nas2013# ls -lah
    total 44
    drwxrwxr-x    2 983   allusers     3B Apr  8 20:12 .
    drwxrwxr-x  789 root  allusers   796B Apr  8 20:09 ..
    -rw-rw-r--    1 983   allusers     6B Apr  8 20:10 test2a
    
    nas2013# getfacl .
    # file: .
    # owner: 983
    # group: allusers
          owner@:rwxp--aARWcCos:-------:allow
          group@:rwxp--a-R-c--s:-------:allow
       everyone@:r-x---a-R-c--s:-------:allow
    
  • Case 2: In an existing folder ‘music/Klassik’, creating a new file ‘test1’, it gets synced - but when I change its content, I get the ‘out of sync / permission denied’ error. Also, deleting and renaming fail. Curiously enough, I don’t have to trigger a rescan for the changes to be detected.

    nas2013# pwd
    /mnt/zfspool/media/music/Klassik
    
    nas2013# ls -lah
    total 103
    drwxrwxr-x    3 983   allusers     7B Apr  8 20:27 .
    drwxrwxr-x  789 root  allusers   796B Apr  8 20:09 ..
    -rw-rw-r--    1 983   allusers     6B Apr  8 20:23 .syncthing.test1.tmp
    -rw-rw-r--    1 983   allusers    12B Apr  8 20:30 .syncthing.test2.tmp
    drwxrwxr-x    2 983   allusers    14B Apr  8 19:59 Concert Festival
    -rw-rw-r--    1 983   allusers     0B Apr  8 20:00 test1
    -rw-rw-r--    1 983   allusers     6B Apr  8 20:01 test2
    
    nas2013# getfacl .
    # file: .
    # owner: 983
    # group: allusers
          owner@:rwxp--aARWcCos:-------:allow
          group@:rwxp--a-R-c--s:-------:allow
       everyone@:r-x---a-R-c--s:-------:allow
    

    The ‘.syncthing.test1.tmp’ and ‘.syncthing.test2.tmp’ files contain the correct content.

Besides the Unix permissions and the ACLs - and given the fact that this is the same synced folder / share - is there anything else that I could check?

As I said, this doesn’t seem like a syncthing specific issue, so not sure how much help you’ll get. I guess I’d make sure that the user running syncthing is the user you expect.

Ok, thanks!

The question is how users and groups are created on the devices with regard to Syncthing. I cannot judge that in relation to TrueNAS. Since I use Synology, the packages that are available for that NASs creates corresponding users and groups in the system manager. This makes it easy to assign the appropriate rights to the relevant directories.

In the case of native installations, as far as I know, no special users or groups are created, so Syncthing would be something like a general user. At least that’s the case with Linux Mint, I also use, with TrueNAS I can’t judge it.

That would then mean that you have to manually adjust the rights in the respective directories and subdirectories in the respective system so that even unregistered users can access them.

In any case, this has nothing to do with Syncthing.