Syncthing: Unable to get permission to work

cooef · January 25, 2026, 11:40am

Hi everyone,

I’m unable to make Syncthing to set UID/GID of files. Files syncs well but ownership is syncthing:syncthing. I dont want to edit the user running the service since I want my setup to work for multiple users.

Wether I tick “Sync Ownership” or “Copy Ownership From Parent“ I get syncing: handling dir (setting metadata): copy owner from parent: lchown *my folder*: invalid argument.

I think that it’s because of the service CapabilityBoundingSet: it’s dropping CAP_SETGID and CAP_SETUID (cf. nixpkgs/nixos/modules/services/networking/syncthing.nix at 695a3abc334d690a822d7bf14808063779e18012 · NixOS/nixpkgs · GitHub ).

Am I right ? What solution do I have ?

cooef · January 25, 2026, 2:57pm

Follow up:

I created a brand new share, as clean as possible, enabled the CopyOwnershipFromParent, I get syncing: finishing: setting metadata: copy owner from parent: lchown .syncthing.*my file*.tmp: invalid argument. The file has no special character and looks like that on the receiving end -rw-r–r-- 1 syncthing syncthing 0 Jan 25 15:53 .syncthing.site_content.html.tmp

Currently I added capabilities according to Syncthing doc (Syncthing Configuration — Syncthing v1.20.2 documentation).
I think it works as:

# cat /etc/systemd/system/syncthing.service
(...)
AmbientCapabilities=CAP_CHOWN CAP_FOWNER
CapabilityBoundingSet=~CAP_SYS_PTRACE
CapabilityBoundingSet=~CAP_SYS_ADMIN
CapabilityBoundingSet=~CAP_SETGID
CapabilityBoundingSet=~CAP_SETUID
CapabilityBoundingSet=~CAP_SETPCAP
CapabilityBoundingSet=~CAP_SYS_TIME
CapabilityBoundingSet=~CAP_KILL
(...)

# cat /proc/1375972/status | grep Cap
CapInh:	0000000000000009
CapPrm:	0000000000000009
CapEff:	0000000000000009
CapBnd:	000001fff5d4fe1f
CapAmb:	0000000000000009

# capsh --decode=0000000000000009
0x0000000000000009=cap_chown,cap_fowner

I’m open to any suggestion.

_Andrew · January 27, 2026, 1:17am

Sounds like NixOS/nixpkgs#338485

nosferatu · January 27, 2026, 1:38am

For what it’s worth, I had this issue with many other services. So what I did instead is I tried replicating how debian does group permissions.

Create a group for your user and change your files and folders to have group ownership to that group. ‘chown -R user:user /home/user’
Add syncthing to your user group, this will allow syncthing to inherit your group permissions for any file/folder
Set all folders to have a sticky group (preventing syncthing from taking group ownership).
find /home/user -type d -exec chmod 2770 {}\;
Set the systemd service umask to 5007 (2770 mode) this makes the syncthing service preserve rw access to the group and created folders inherit the sticky gid