Resilio Connect Agents are capable of syncing Standard and Special NTFS permissions as well as POSIX.1 permissions. This feature requires a special license with this option included.
Syncing NTFS permissions
There are two modes, configurable in job profile:
1. By DACL: will synchronize user’s SID and permissions even if such user is not known to target system. Once target OS knows such a user, it’ll resolve SID to proper username. Connect agent must run as Local System to be able to sync permissions.
2. By owner group: same as above but also includes file/folder owner. Computers need to be in the same domain for the new owner to be applied, and Connect agent must run as domain Admin user. If the target system does not know this user, owner will be the user who runs Agent here.
NTFS permissions are preserved on non-NTFS filesystems and will be only applied when file again gets to NTFS FS.
Local admin requiredThe user account running Agent must be local administrator or Local System to be able synchronizing permissions
Memory consumptionMemory consumption may double when syncing NTFS permissions depending on the number ACLs applied per file.
For agent to be able to sync permissions, especially for files accessed over SMB, the user that runs agent's service must be allowed to "Read permissions", "Change permissions", and "Take ownership".
Syncing POSIX.1 permissions and ACLs
File systems on Linux-based and OS X systems implement at least 1 level of file access permissions - POSIX.1 which allows to configure basic read-write-execute permission for owner, group and all other users.
These permissions can be synchronized by Resilio Connect product in 2 modes - by ID and by name. This is controlled by setting in job profile. POSIX permissions are preserved on non-POSIX filesystems and will be only applied when files / folders get to POSIX-compatible filesystem
Root requiredSynchronizing POSIX permissions always requires Agent to run with root privileges
Memory consumptionMemory consumption may double when syncing Posix permissions depending on the number ACLs applied per file.
Synchronizing permissions by ID
Once permissions set gets delivered on another machine, the file / folder gets exactly same owner and ownergroup IDs as on the source machine. This way allows to always sync permissions even for non-existing users, although admin should be aware of 2 possible caveats:
- If target machine has no relevant uid and gid registered in /etc/passwd, the user and group name may look like identifiers instead of names
- If target user id is associated with another user, the arriving files / folders will belong to a different user
Therefore it is recommended to ensure that the set of uids and gids match on target and source computers
Synchronizing permissions by name
Once permissions set gets delivered on another machine, the agent will try to find the user and group with the same names and assign them to the file/folder. If appropriate group or user does not exist, agent will fail delivering permissions and give error in Management Console.
ACLs for OS X and Linux
The POSIX.1 permissions lack flexibility like assigning multiple users and groups to a single item or more granular access. Therefore permissions were extended with Advanced Control Lists (ACLs). While it is pretty much standard for OS X machines, there is no common standard for different Linux distros.
ACLs synchronization is not officially supported by Resilio Connect product. You may attempt to synchronize them by delivering extended attributes, although the result is not guaranteed.