Skip to content

Permission Management

Jump to bottom Edit New page
Yves Martin edited this page Jun 3, 2018 · 12 revisions

Permission Management

As most of SynoCommunity applications are content-related, and Synology DSM may be used in shared context with multiple users, security improvements have been implemented with DSM 6 support.

Context

Before DSM 6 support, all SynoCommunity applications were granted users group membership, allowing them to provide content to any regular DSM users or to any other applications.

As a result, there was no way to prevent access to sensible application specific folders, and users may access any content or damage application files too.

Some technical or protocol applications accessible from network also has access to any content readable to users group even if not necessary, increasing risk of file leaking in case of security hole or misconfiguration.

SynoCommunity packages take benefits of Synology SDK and DSM 6 support to run services as non-privileged user account instead of root. Such account is not manageable with DSM Control Panel Users and Groups and is not member of users group.

Concept

Access to content is controlled thanks to sc-download group ACL permissions.

  • Technical or protocol applications has no group membership, preventing access to publicly accessible content.

  • "Producer" application like downloaders are configured to write in dedicated folders (recommended to be located in a Shared Folder) which is configured with sc-download group permission.

  • "Consumer" application like indexer, media reader... can read folders thanks to sc-download group permission (or sc-media, refer to application specific documentation/FAQ).

How to grant permissions for applications

Option 1 - Full Shared Folder access

Open DSM Control Panel, Shared Folder

Edit Shared Folder, open "Permissions" tab and select "Local Groups" view

Select either "Read only" on "Read/Write" for group sc-download

Share Folder permissions in Control Panel

Validate with OK.

Option 2 - Per folder access

In DSM File Station, select target folder, open "Properties" with right click.

In "Permissions" properties, Create a new permission with group sc-download group with all Read rights and if relevant Write rights.

Permission edition in File Station

For any parent folder, up to Shared Folder root, add a permission with "Traverse folders" and "List folders" in mode "Apply To": "This Folder".

Folder parent permission in File Station

Troubleshooting

For more details, please refer to Synology documentation: How to manage ACL settings

SynoCommunity packages now requires ACL support to access DSM Shared Folders. ACL is a file system permission management concept which is not limited to "Windows ACL" or "Samba / CIFS remote access".

Please do not try to "work-around" pointing application folders to Linux root file systems instead of Shared Folder locations.

Enable ACL support

For Share Folder created with DSM version before DSM 5, it is required to convert file system to support ACL.

If Action "Convert to Windows ACL" is available for your Share Folder and you expect SynoCommunity applications to access them, then proceed with conversion wizard before granting permissions to sc-download group.

Control Panel Shared Folder Actions

Shared Folder Conversion Wizard

Shared Folder Conversion Warning

Add a custom footer
Clone this wiki locally