After setting up syncthing last week, I was concerned about security as I was using the software in a manner not intended by the developers. I was attempting to use one instance of syncthing for multiple users by running it under its own user space and granting it permissions on folders in my home directory.
The problem with adding users to the group is that they have permission on every single folder where I grant write permissions to a group. The way around this is to create a huge number of groups with a permutation of users - horrible idea.
I knew that Linux supported Access Control Lists (ACLs), but never had to use them till now. ACLs permit users to have a fine tuned control over what is shared.
Below are a few elementary examples.
Get a list of ACL permissions on a folder
bharath@localhost:~$ getfacl /home/bharath getfacl: Removing leading '/' from absolute path names # file: home/bharath # owner: bharath # group: bharath user::rwx group::r-x group:syncthing:--x mask::r-x other::r-x
Grant a user or group permission to a file / folder
setfacl -m u:userName:rwx folderPath setfacl -m g:groupName:rwx folderPath
Remove a user or a group entry from an ACL
setfacl -x u:userName folderPath setfacl -x g:groupName folderPath
Revoke all permissions
setfacl --remove-all setfacl -b
Modify default permissions
setfacl -d -m u:userName:rwx folderPath
You can read more about this from the man pages.