Setting Synology DSM permissions using the console

After migrating my users from local DSM base to Directory Server, I ended with shares full of inconsistent permissions and ownership. Rather than clicking 10 000 times in DSM, I decided to do the stuff via SSH using syno console tools.

Get the share list:

# synoshare --enum ALL
Share Enum Arguments: [0xF0F] ALL ENC DEC
11 Listed:
docker
Documents
(...)

Reset UNIX permissions to something sane:

# USER="root"
# GROUP="root"
# FOLDER="/volume1/Documents"

# chown -R $USER:$GROUP $FOLDER
# find $FOLDER -type d -exec chmod 0700 {} \;
# find $FOLDER -type f -exec chmod 0600 {} \;

Configure ACL:

  • Full Access to a specific LDAP user
  • Full Access to every member of the local Administrators group:
# synoacltool -set-owner $FOLDER user joe@synology.tumfatig.local

# synoacltool -add $FOLDER user:joe@synology.tumfatig.local:allow:rwxpdDaARWcCo:fd--
# synoacltool -add $FOLDER group:administrators:allow:rwxpdDaARWcCo:fd--

# find $FOLDER -exec synoacltool -enforce-inherit {} \;

Verify the final permissions:

# synoacltool -get $FOLDER
ACL version: 1
Archive: has_ACL,is_support_ACL
Owner: [joe@synology.tumfatig.local(user)]
---------------------
[0] user:joe@synology.tumfatig.local:allow:rwxpdDaARWcCo:fd-- (level:0)
[1] group:administrators:allow:rwxpdDaARWcCo:fd-- (level:0)

Configure another ACL:

  • Full Access to a specific LDAP user
  • Full Access to every member of the local Administrators group
  • Read-Only access to every member of the LDAP Users group:
# FOLDER="/volume1/Pictures"

# synoacltool -set-owner $FOLDER user joe@synology.tumfatig.local

# synoacltool -add $FOLDER user:joe@synology.tumfatig.local:allow:rwxpdDaARWcCo:fd--
# synoacltool -add $FOLDER group:users@synology.tumfatig.local:allow:r-x---a-R-c--:fd--
# synoacltool -add $FOLDER group:administrators:allow:rwxpdDaARWcCo:fd--

# find $FOLDER -exec synoacltool -enforce-inherit {} \;

Now, everything should be cleaned.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.