Permission Management - SynoCommunity/spksrc GitHub Wiki

Permission Management

As most of SynoCommunity applications are content-related, and Synology DSM may be used in shared context with multiple users, security improvements have been implemented with DSM 6 support.

DSM 6 Context

Before DSM 6 support, all SynoCommunity applications were granted users group membership, allowing them to provide content to any regular DSM users or to any other applications.

As a result, there was no way to prevent access to sensible application specific folders, and users may access any content or damage application files too.

Some technical or protocol applications accessible from network also has access to any content readable to users group even if not necessary, increasing risk of file leaking in case of security hole or misconfiguration.

SynoCommunity packages take benefits of Synology SDK and DSM 6 support to run services as non-privileged user account instead of root. Such account is not manageable with DSM Control Panel Users and Groups and is not member of users group.

DSM 6 Concept

Access to content is controlled thanks to sc-download group ACL permissions.

  • Technical or protocol applications has no group membership, preventing access to publicly accessible content.

  • "Producer" application like downloaders are configured to write in dedicated folders (located necessarily in an ACL-enabled Shared Folder) which is configured with sc-download group permission.

  • "Consumer" application like indexer, media reader... can read folders thanks to sc-download group permission (or sc-media, refer to application specific documentation/FAQ).

DSM 7 Migration

With DSM 7 we can't support the above group concept any more, so we need to migrate to the "System internal user". Please follow the instructions below. Once done you can remove the old sc-download and sc-media groups.

How to grant permissions for applications

Option 1 - Full Shared Folder access

  • Open DSM Control Panel, Shared Folder
  • Edit Shared Folder, open "Permissions" tab and select "System internal user" view
  • Select either "Read only" on "Read/Write" for package user e.g. sc-jellyfin

Share Folder permissions in Control Panel

Validate with OK.

Option 2 - Per folder access

In DSM File Station, select target folder, open "Properties" with right click.

In "Permissions" properties, Create a new permission with System internal user for the package e.g. sc-jellyfin with all Read rights and if relevant Write rights.

Permission edition in File Station

For any parent folder, up to Shared Folder root, add a permission with "Traverse folders" and "List folders" in mode "Apply To": "This Folder". If you have a deep folder hierarchy you can set "Apply to this folder, sub-folders and files:" option, it will apply the settings recursively for you.

Folder parent permission in File Station

Troubleshooting

For more details, please refer to Synology documentation: How to manage ACL settings

SynoCommunity packages now require ACL support to access DSM Shared Folders. ACL is a file system permission management concept which is not limited to "Windows ACL" or "Samba / CIFS remote access".

Please do not try to "workaround" pointing application folders to Linux root file systems instead of Shared Folder locations.

Enable ACL support

For Share Folder created with DSM version before DSM 5, it is required to convert file system to support ACL.

If Action "Convert to Windows ACL" is available for your Share Folder and you expect SynoCommunity applications to access them, then proceed with conversion wizard before granting permissions to sc-download group.

Control Panel Shared Folder Actions

Shared Folder Conversion Wizard

Shared Folder Conversion Warning