-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Permission Concept
As most of SynoCommunity applications are content-related, and Synology DSM may be used in shared context with multiple users, security improvements have been designed.
Before DSM 6 support, all SynoCommunity applications were granted users group
membership, allowing them to provide content to any regular DSM users or to any
other applications.
As a result, there was no way to prevent access to sensible application specific folders, and users may access any content or damage application files too.
Some technical or protocol applications accessible from network also has access
to any content readable to users group even if not necessary, increasing risk
of file leaking in case of security hole or misconfiguration.
Access to content is control thanks to group permissions.
-
Technical or protocol applications will have no group membership, preventing access to publicly accessible content.
-
Producer application (downloader) will write files to dedicated folders with permissions granted thanks to "output groups" (
sc-downloadandusersby default) -
Consumer application (media reader, file scanner, backup...) will read files from folders granted thanks to "input groups" (
sc-downloadandusersby default) -
If an application mixes these two roles, both "input groups" and "ouput groups" can be configured seperately.
For advanced usages, wizard step proposed package installer to adapt default
"input groups" and/or "output groups" lists, like removing users or tune per
application group membership.
Package will create standard sc-download group for media/content related
applications.
Because of transition from previous situtation, installation wizard proposes to
enlist application in both sc-download and users groups by defaults.
If users group is not granted for some applications, DSM administrator can
enlist human user accounts in sc-download from DSM Control Panel Groups, for
them to gain access to files written by these applications.
If users group is not part of an application "input group", DSM administrator
can apply application specific group to folders it expects to browse and read.
DSM administrator can create dedicated groups to fine control which application produces files to which audience, either human users or specific application thanks to "input groups" field at installation or upgrade wizard.
- Home
-
Packages
- Adminer
- Aria2
- Beets
- BicBucStriim
- Borgmatic
- cloudflared
- Comskip
- Debian Chroot
- Deluge
- Duplicity
- dnscrypt-proxy
- FFmpeg
- FFsync
- Flexget
- Gstreamer
- Google Authenticator
- Home Assistant Core
- Jellyfin
- Kiwix
- [matrix] Synapse homeserver
- MinIO
- Mono
- Mosh
- Mosquitto
- Node-Exporter
- Radarr/Sonarr/Lidarr/Jackett
- SaltStack
- SickBeard Custom
- SynoCLI-Disk
- SynoCLI-Devel
- SynoCLI-File
- SynoCLI-Kernel
- SynoCLI-Misc.
- SynoCLI-Monitor
- SynoCLI-NET
- Synogear
- Concepts
- Development
- Resources