Overview
Resilio Connect Agents are capable of syncing Standard and Special NTFS permissions as well as POSIX.1 permissions. This feature requires a special license with this option included.
Cross-platform synchronization of file permissions
Using Highly Available groups on a system that cannot apply the replicated permissions (for example, on a Linux with replicated NTFS permissions or vise versa) should be avoided. It may lead to unexpected permissions issues and access problems. Always ensure that HA groups are used on systems with compatible file permission structures.Syncing NTFS permissions
There are two modes, configurable in job profile:
1. Don't sync Owner: will synchronize user’s SID and permissions even if such user is not known to target system. Once target OS knows such a user, it’ll resolve SID to proper username. Connect agent must run as Local System to be able to sync permissions.
2. Sync full ACL: same as above but also includes file/folder owner. Computers need to be in the same domain for the new owner to be applied, and Connect agent must run as domain Admin user. If the target system does not know this user, owner will be the user who runs Agent here.
3. Re-apply local inherited permissions: (available in v3.0.0 and newer) when synchronizing the files, Agent places part downloads into the service .sync directory. The parameter forces the Agent to reset local permissions of file and not inherit them from .sync, but instead inherit from file's parent folder.
NTFS permissions are preserved on non-NTFS filesystems and will be only applied when file again gets to NTFS FS.
Local admin required
The user account running Agent must be local administrator or Local System to be able synchronizing permissionsMemory consumption
Memory consumption may double when syncing NTFS permissions depending on the number ACLs applied per file, for pre-3.0 versions.Agents of version 3.0 may consume more RAM than expected during folder merge for pre-seeded folders). Once folder merge is complete, RAM consumption reduces.
For agent to be able to sync permissions, especially for files accessed over SMB, the user that runs agent's service must be allowed to "Read permissions", "Change permissions", and "Take ownership".
RW to RW synchronization
If your destination contains no data, but you plan to synchronize bi-directionally in future, it is strongly recommended to:
- Create root folder on empty destination where data arrives in advance
- Ensure that this folder does not inherit permissions from its parent and contains permissions that match ones on the source - including sources inherited permissions.
Otherwise agent may synchronize top-level permissions from destination RW machine's root folder back to source.
Pre-seeded RW to RW folders synchronization
If you plan bi-directional synchronization in future and your destination already contains some files and folders, it is strongly recommended to pick the Reference Agent in the job
Otherwise agents will randomly decide who is the owner of certain folders and you may get your permissions scrambled.
Syncing POSIX.1 permissions and ACLs
File systems on Linux-based and OS X systems implement at least 1 level of file access permissions - POSIX.1 which allows to configure basic read-write-execute permission for owner, group and all other users.
These permissions can be synchronized by Resilio Connect product in 2 modes - by ID and by name. This is controlled by setting in job profile. POSIX permissions are preserved on non-POSIX filesystems and will be only applied when files / folders get to POSIX-compatible filesystem
Root required
Synchronizing POSIX permissions always requires Agent to run with root privilegesMemory consumption
Memory consumption may double when syncing Posix permissions depending on the number ACLs applied per file.Agents of version 3.0 may consume more RAM than expected during folder merge for pre-seeded folders. Once folder merge is complete, RAM consumption reduces.
Synchronizing permissions by ID
Once permissions set is delivered to another machine, the file / folder gets exactly same owner and ownergroup IDs as on the source machine. This way allows to always sync permissions even for non-existing users, although admin should be aware of 2 possible caveats:
- If target machine has no relevant uid and gid registered in /etc/passwd, the user and group name may look like identifiers instead of names
- If target user id is associated with another user, the arriving files / folders will belong to a different user
Therefore it is recommended to ensure that the set of uids and gids match on target and source computers
Synchronizing permissions by name
Once permissions set is delivered to another machine, the Agent will try to find the user and group with the same names and assign them to the file/folder. If appropriate group or user does not exist, the Agent will fail delivering permissions and give error in Management Console.
Synchronizing permissions by owner group
Once permissions set gets delivered on another machine, the agent will try to find the owner group with the same name and assign it to the file/folder. If appropriate group does not exist, the Agent will fail delivering permissions and give error in Management Console.
ACLs for OS X and Linux
The POSIX.1 permissions lack flexibility like assigning multiple users and groups to a single item or more granular access. Therefore permissions were extended with Advanced Control Lists (ACLs). While it is pretty much standard for OS X machines, there is no common standard for different Linux distros.
ACLs synchronization is not officially supported by Resilio Connect product. You may attempt to synchronize them by delivering extended attributes, although the result is not guaranteed.