I wrote a brief guide on how to run syncthing as a system user while sharing folders in the users home directory. You run into permission issues by default.
https://nitinpassa.com/running-syncthing-as-a-system-user-on-nixos/
4 Likes
Nice!
I do something similar, but with POSIX ACLs. So I’m very happy that tmpfiles: add conditionalized execute permission (X) support by YHNdnzj · Pull Request #25622 · systemd/systemd · GitHub got implemented and merged.
1 Like
Do we improve security by doing this?
Do we improve security by doing this?
Yes.
Running as a separate system user means if the program has a security issue (or the service is misconfigured), the process still cannot access anything else than the data directory and the set of shared folders. But if running as a user service, the process has access to everything your user has (like ~/.ssh).
1 Like
Using ACLs seems like a great improvement here. And it looks like it can apply recursively which should solve the setgid limitations of using directory.