Permission Concept - SynoCommunity/spksrc GitHub Wiki

Permission concept

As most of SynoCommunity applications are content-related, and Synology DSM may be used in shared context with multiple users, security improvements have been designed.

Previous situation

Before DSM 6 support, all SynoCommunity applications were granted users group membership, allowing them to provide content to any regular DSM users or to any other applications.

As a result, there was no way to prevent access to sensible application specific folders, and users may access any content or damage application files too.

Some technical or protocol applications accessible from network also has access to any content readable to users group even if not necessary, increasing risk of file leaking in case of security hole or misconfiguration.

Principle

Access to content is control thanks to group permissions.

  • Technical or protocol applications will have no group membership, preventing access to publicly accessible content.

  • Producer application (downloader) will write files to dedicated folders with permissions granted thanks to "output groups" (sc-download and users by default)

  • Consumer application (media reader, file scanner, backup...) will read files from folders granted thanks to "input groups" (sc-download and users by default)

  • If an application mixes these two roles, both "input groups" and "ouput groups" can be configured seperately.

For advanced usages, wizard step proposed package installer to adapt default "input groups" and/or "output groups" lists, like removing users or tune per application group membership.

Permission management

Package will create standard sc-download group for media/content related applications.

Because of transition from previous situtation, installation wizard proposes to enlist application in both sc-download and users groups by defaults.

If users group is not granted for some applications, DSM administrator can enlist human user accounts in sc-download from DSM Control Panel Groups, for them to gain access to files written by these applications.

If users group is not part of an application "input group", DSM administrator can apply application specific group to folders it expects to browse and read.

Advanced usage

DSM administrator can create dedicated groups to fine control which application produces files to which audience, either human users or specific application thanks to "input groups" field at installation or upgrade wizard.

⚠️ **GitHub.com Fallback** ⚠️