mirror/syncthing
1
0
Fork 0
mirror of https://github.com/syncthing/syncthing.git synced 2026-03-24 17:21:56 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix(systemd): support overrides for syncOwnership (#10602)

Browse Source 
Syncthing docs in https://docs.syncthing.net/users/autostart.html#permissions
tell the user to set `AmbientCapabilities=CAP_CHOWN CAP_FOWNER` if the
user wishes to use the `syncOwnership` option.

https://github.com/syncthing/syncthing/pull/10421 broke `syncOwnership`
for users that followed that advice because the PR introduced
`CapabilityBoundingSet=` which cancels out any additional capabilities
granted with `AmbientCapabilities`.

(`AmbientCapabilities` _adds_ capabilities; `CapabilityBoundingSet`
_limits_ maximum capabilities to the specified set. Setting
`CapabilityBoundingSet` to an empty list prevents any capabilities from
being acquired in any way.)

This PR fixes the breakage by explicitly setting

    CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER

This does _not_ grant any additional access rights to syncthing if the
user is not explicitly setting `AmbientCapabilities` as well, but it
does loosen the sandbox _a bit_. An attacker compromising the syncthing
process could now more easily expand their access to include
CAP_CHOWN/CAP_FOWNER even if the user is not setting
`AmbientCapabilities`.

Signed-off-by: Val Markovic <val@markovic.io>
This commit is contained in:
Val Markovic
2026-03-11 14:11:50 +01:00
committed by GitHub
parent 55d3b7c5db
commit c4ff02def7
1 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
etc/linux-systemd/system/syncthing@.service
View File

@@ -83,10 +83,23 @@ RestrictRealtime=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
# The lifetime limit of (superuser) capabilities that syncthing can acquire.
# This option _restricts_ capabilities.
CapabilityBoundingSet=
#
# NOTE: This is set to `CAP_CHOWN CAP_FOWNER` to avoid breaking users that have
# set `AmbientCapabilities=CAP_CHOWN CAP_FOWNER` to enable the `syncOwnership`
# option as described in:
# https://docs.syncthing.net/users/autostart.html#permissions
#
# If you do not use the `syncOwnership` option, you can set this to:
# CapabilityBoundingSet=
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
# Start with empty (superuser) capabilities.
# This option _expands_ capabilities.
# AmbientCapabilities should equal CapabilityBoundingSet.
#
# NOTE: IFF you wish to use the `syncOwnership` option, you must set this to:
# AmbientCapabilities=CAP_CHOWN CAP_FOWNER
# in a systemd drop-in file. Be aware that this gives syncthing the ability to
# change or ignore file ownership across the entire operating system.
AmbientCapabilities=
# Disables `personality` system call; it can be used for privilege escalation.
LockPersonality=true