Skip to content

Permission Management

Jump to bottom Edit New page
Yves Martin edited this page Mar 14, 2018 · 12 revisions

Permission Management

As most of SynoCommunity applications are content-related, and Synology DSM may be used in shared context with multiple users, security improvements have been implemented with DSM 6 support.

Context

Before DSM 6 support, all SynoCommunity applications were granted users group membership, allowing them to provide content to any regular DSM users or to any other applications.

As a result, there was no way to prevent access to sensible application specific folders, and users may access any content or damage application files too.

Some technical or protocol applications accessible from network also has access to any content readable to users group even if not necessary, increasing risk of file leaking in case of security hole or misconfiguration.

SynoCommunity packages take benefits of Synology SDK and DSM 6 support to run services as non-privileged user account instead of root. Such account is not manageable with DSM Control Panel Users and Groups and is not member of users group.

Concept

Access to content is controlled thanks to sc-download group permissions.

  • Technical or protocol applications has no group membership, preventing access to publicly accessible content.

  • "Producer" application like downloaders are configured to write in dedicated folders (recommended to be located in a Shared Folder) which is configured with sc-download group permission.

  • "Consumer" application like indexer, media reader... can read folders thanks to sc-download group permission.

How to grant permissions for applications

Option 1 - Full Shared Folder access

Open DSM Control Panel, Shared Folder

Edit Shared Folder, open "Permissions" tab and select "Local Groups" view

Select either "Read only" on "Read/Write" for group sc-download

Share Folder permissions in Control Panel

https://github.com/adam-p/markdown-here/raw/master/src/common/images/icon48.png "Logo Title Text 1")

Validate with OK.

Option 2 - Per folder access

In DSM File Station, select target folder, open "Properties" with right click.

In "Permissions" properties, Create a new permission with group sc-download group with all Read rights and if relevant Write rights.

Permission edition in File Station

For any parent folder, up to Shared Folder root, add a permission with "Traverse folders" and "List folders" in mode "Apply To": "This Folder".

Folder parent permission in File Station

Add a custom footer
Clone this wiki locally