Help Center

Syncing file system permissions


Resilio Connect Agents is capable syncing Standard and Special NTFS permissions as well as POSIX.1 permissions. This feature requires a special license with this option included.

 

Syncing NTFS permissions

There are two modes, configurable in job profile:

1. By DACL: will synchronize user’s SID and permissions even if such user is not known to target system. Once target OS knows such a user, it’ll resolve SID to proper username. Connect agent must run as Local System to be able to sync permissions.

2. By owner group: same as above but also includes file/folder owner. Computers need to be in the same domain for the new owner to be applied, and Connect agent must run as domain Admin user.  If the target system does not know this user, owner will be the user who runs Agent here.

NTFS permissions are preserved on non-NTFS filesystems and will be only applied when file again gets to NTFS FS.

Local admin required

The user account running Agent must be local administrator to be able synchronizing permissions

 

Syncing POSIX.1 permissions and ACLs

File systems on Linux-based and OS X systems implement at least 1 level of file access permissions - POSIX.1 which allows to configure basic read-write-execute permission for owner, group and all other users.

These permissions can be synchronized by Resilio Connect product in 2 modes - by ID and by name. This is controlled by setting in job profile. POSIX permissions are preserved on non-POSIX filesystems and will be only applied when files / folders get to POSIX-compatible filesystem

Root required

Synchronizing POSIX permissions always requires Agent to run with root privileges

 

Synchronizing permissions by ID

Once permissions set gets delivered on another machine, the file / folder gets exactly same owner and ownergroup IDs as on the source machine. This way allows to always sync permissions even for non-existing users, although admin should be aware of 2 possible caveats:

  • If target machine has no relevant uid and gid registered in /etc/passwd, the user and group name may look like identifiers instead of names
  • If target user id is associated with another user, the arriving files / folders will belong to a different user

Therefore it is recommended to ensure that the set of uids and gids match on target and source computers

 

Synchronizing permissions by name

Once permissions set gets delivered on another machine, the agent will try to find the user and group with the same names and assign them to the file/folder. If appropriate group or user does not exist, agent will fail delivering permissions and give error in Management Console.

 

ACLs for OS X and Linux

The POSIX.1 permissions lack flexibility like assigning multiple users and groups to a single item or more granular access. Therefore permissions were extended with Advanced Control Lists (ACLs). While it is pretty much standard for OS X machines, there is no common standard for different Linux distros.

ACLs synchronization is not officially supported by Resilio Connect product. You may attempt to synchronize them by delivering extended attributes, although the result is not guaranteed.

Was the article helpful? Yes / No, send feedback on article Thanks!


Please note that we won't mail you back. This is just purely feedback on the article above. If you need help from our Support Team, please use the "Contact Support" link at the top of the page.