When running syncthing on Ubuntu as a system service...what's the best way to handle permissions?

I have had syncthing running on my servers in the past as a system service, which involves creating a service that runs as a specific user. Initially this posed a challenges as I was only able to synchronize files and folders created or owned by the user under which the service was running.

In order to give permissions to that same user to a folder that wasn’t owned by that user, I would have to add them to the file/folder structure by altering the ACL.

setfacl -Rm u:someuser:rwx file


Only then would creating a new sync folder actually work (.stfolder marker, etc.)

I’m setting up a new system and I’m wondering if there’s a way to create a user that doesn’t need to be explicitly added to each intended sync location like this. I suppose it’s not much different than having the service run as root, which is not recommended. Just wondering if there’s an easier way.

Come to think of it, here’s an ACL permissions question:

If I create a folder /thisfolder and I add the user whomever to that folder using setfacl, if I add folders beneath that /thisfolder/folder (for example) do the ACL permissions propagate to the new content? If that’s the case then I could simply make sure that all of my sync’d folders reside under a single folder root and just apply the ACL settings to that folder tree.


I believe the generally recommended way to do that is to run multiple instances of syncthing. The systemd system unit is per-user, so doing that is trivial. Is there something specific that prevents that?

1 Like

Wouldn’t that mean needing to keep track of multiple ports, user permissions, etc.?

In the past, I simply created a syncthing user and then any time I needed to give access to a specific folder sync, I’d just add them through ACL’s to the required folders…

I haven’t ever considered compartmentalizing syncthing into multiple instances, one for each user on the server…seems that would become resource intensive.

Syncthing is pretty good at figuring out ports, but the GUI listen port needs to be dealt with. As for the permissions, depends on the setup. I’d expect it to just fold into the system permissions - you run syncthing as the user that owns a specific folder to share it. Of course, if you have a complex multi-user setup that’s a pain in itself.

While I won’t disagree, I also live in a world where people use Docker to run single applications and spin up Chromium as a text editor. Multiple process instances seems positively frugal in comparison. :confused:

This really doesn’t scale well. I would lose patiences well before I had 20 users up and running.

I’m sorry about that, but if you’re looking for systems that are designed to handle server-based user-segregated syncing, there are a few available. Syncthing isn’t one of them - it’s built for peer-to-peer syncing without user segregation.

My point is the ACLs is probably a better option here.

1 Like

Frankly, I’m not sure I’d have the patience for either … but that might be part of the reason I don’t handle large multi-user systems.