fix(systemd): support overrides for syncOwnership#10602
Merged
calmh merged 1 commit intosyncthing:mainfrom Mar 11, 2026
Merged
Conversation
calmh
reviewed
Mar 11, 2026
Syncthing docs in https://docs.syncthing.net/users/autostart.html#permissions tell the user to set `AmbientCapabilities=CAP_CHOWN CAP_FOWNER` if the user wishes to use the `syncOwnership` option. syncthing#10421 broke `syncOwnership` for users that followed that advice because the PR introduced `CapabilityBoundingSet=` which cancels out any additional capabilities granted with `AmbientCapabilities`. (`AmbientCapabilities` _adds_ capabilities; `CapabilityBoundingSet` _limits_ maximum capabilities to the specified set. Setting `CapabilityBoundingSet` to an empty list prevents any capabilities from being acquired in any way.) This PR fixes the breakage by explicitly setting CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER This does _not_ grant any additional access rights to syncthing if the user is not explicitly setting `AmbientCapabilities` as well, but it does loosen the sandbox _a bit_. An attacker compromising the syncthing process could now more easily expand their access to include CAP_CHOWN/CAP_FOWNER even if the user is not setting `AmbientCapabilities`. Signed-off-by: Val Markovic <val@markovic.io>
calmh
approved these changes
Mar 11, 2026
Valloric
added a commit
to Valloric/syncthing
that referenced
this pull request
Mar 12, 2026
IFF the user enables the `syncOwnership` feature AND sets `AmbientCapabilities=CAP_CHOWN CAP_FOWNER` as the docs in https://docs.syncthing.net/users/autostart.html#permissions state, THEN syncthing needs to use the `chown` syscall. PR syncthing#10421 added a comprehensive sandbox that breaks `syncOwnership`. In PR syncthing#10602 we fixed one part, which is expanding the default `CapabilityBoundingSet` (see the PR for details). But there's a very subtle bug that this PR fixes. PR syncthing#10421 sets the following properties: SystemCallFilter=@System-service SystemCallFilter=~@PRIVILEGED io_uring_enter io_uring_register io_uring_setup (Systemd merges `SystemCallFilter` values; we had to set the property twice because to negate syscalls, the whole list has to start with `~`.) The goal was to allow all syscalls in the `@system-service` set, BUT disallow any `@privileged` syscalls and the `io_uring*` syscalls. But the sets are not disjoint; `chown` is in both `@system-service` and in `@privileged`, so it is removed from the allow list by the second property value. This property is also parsed in a very peculiar way. From systemd docs: > If you specify both types of this option (i.e. allow-listing and > deny-listing), the first encountered will take precedence and will > dictate the default action (termination or approval of a system call). > Then the next occurrences of this option will add or delete the listed > system calls from the set of the filtered system calls, depending of its > type and the default action. (For example, if you have started with an > allow list rule for read() and write(), and right after it add a deny > list rule for write(), then write() will be removed from the set.) Not only does the order of `SystemCallFilter` properties matter (later ones can undo effects of prior ones), but the _type_ of the _first_ property sets the overall behavior of the syscall filter: if the first `SystemCallFilter` value is an allow list, then all syscalls that are not specified are disallowed by default (and reverse if the first value is a deny list). Of course, this is completely different from how other allow/deny lists are implemented in systemd; for example, `IPAddress[Allow|Deny]` properties don't work like this at all. >:( Since this complexity has bit us once, we're removing the additional deny list of syscalls and sticking with just `SystemCallFilter=@system-service`. This leaves some privileged syscalls in the allow list. Other options would require entering the "deny list by default" mode and deny lists are less secure than allow lists in general because they have to be maintained (the kernel always adds new syscalls). The rest of the sandbox (capability bounds) should be sufficient. Fixes syncthing#10603 Signed-off-by: Val Markovic <val@markovic.io>
calmh
pushed a commit
that referenced
this pull request
Mar 13, 2026
fix(systemd): Add back chown allowed syscalls IFF the user enables the `syncOwnership` feature AND sets `AmbientCapabilities=CAP_CHOWN CAP_FOWNER` as the docs in https://docs.syncthing.net/users/autostart.html#permissions state, THEN syncthing needs to use the `chown` syscall. PR #10421 added a comprehensive sandbox that breaks `syncOwnership`. In PR #10602 we fixed one part, which is expanding the default `CapabilityBoundingSet` (see the PR for details). But there's a very subtle bug that this PR fixes. PR #10421 sets the following properties: SystemCallFilter=@System-service SystemCallFilter=~@PRIVILEGED io_uring_enter io_uring_register io_uring_setup (Systemd merges `SystemCallFilter` values; we had to set the property twice because to negate syscalls, the whole list has to start with `~`.) The goal was to allow all syscalls in the `@system-service` set, BUT disallow any `@privileged` syscalls and the `io_uring*` syscalls. But the sets are not disjoint; `chown` is in both `@system-service` and in `@privileged`, so it is removed from the allow list by the second property value. This property is also parsed in a very peculiar way. From systemd docs: > If you specify both types of this option (i.e. allow-listing and > deny-listing), the first encountered will take precedence and will > dictate the default action (termination or approval of a system call). > Then the next occurrences of this option will add or delete the listed > system calls from the set of the filtered system calls, depending of its > type and the default action. (For example, if you have started with an > allow list rule for read() and write(), and right after it add a deny > list rule for write(), then write() will be removed from the set.) Not only does the order of `SystemCallFilter` properties matter (later ones can undo effects of prior ones), but the _type_ of the _first_ property sets the overall behavior of the syscall filter: if the first `SystemCallFilter` value is an allow list, then all syscalls that are not specified are disallowed by default (and reverse if the first value is a deny list). Of course, this is completely different from how other allow/deny lists are implemented in systemd; for example, `IPAddress[Allow|Deny]` properties don't work like this at all. >:( Since this complexity has bit us once, we're removing the additional deny list of syscalls and sticking with just `SystemCallFilter=@system-service`. This leaves some privileged syscalls in the allow list. Other options would require entering the "deny list by default" mode and deny lists are less secure than allow lists in general because they have to be maintained (the kernel always adds new syscalls). The rest of the sandbox (capability bounds) should be sufficient. Fixes #10603 Signed-off-by: Val Markovic <val@markovic.io>
Hancock33
added a commit
to Hancock33/batocera.piboy
that referenced
this pull request
Mar 15, 2026
------------------------------------------------------------------------------------------ rocknix-abl.mk 50da7fcba0d1a1e29ce6a39aacdc65055eeedf29 # Version: Commits on Mar 13, 2026 ------------------------------------------------------------------------------------------ Merge pull request #1 from tiopex/master Add CI, -------------------------------------------------------------------------------------------------------- batocera-emulationstation.mk 24be8599cc89fcafba5a3389d51abb24d03991f5 # Version: Commits on Mar 13, 2026 -------------------------------------------------------------------------------------------------------- Merge pull request #2097 from fabricecaruso/win [Help / StackPanel] Small fixes with layouting when children size changes, ------------------------------------------------------------------------------------------------ batocera-es-piboy.mk 24be8599cc89fcafba5a3389d51abb24d03991f5 # Version: Commits on Mar 13, 2026 ------------------------------------------------------------------------------------------------ Merge pull request #2097 from fabricecaruso/win [Help / StackPanel] Small fixes with layouting when children size changes, --------------------------------------------------------------------------------------- amiberry.mk 4ba1d465271178263fc359d77403f63b8cc595fb # Version: Commits on Mar 13, 2026 --------------------------------------------------------------------------------------- fix: trigger CI workflow on tag pushes for release builds, -------------------------------------------------------------------------------------------- amiberry-lite.mk ba6382b112bccc1e2f7a2ee6b6903645f6bc3101 # Version: Commits on Mar 13, 2026 -------------------------------------------------------------------------------------------- Merge pull request #30 from spectrumero/bugfix/joystick_out_of_range Prevent joystick index from being out of range when setting key configs, ------------------------------------------------------------------------------------- azahar.mk 100b00b3b569a24e8a27ed692c39d6961a12ae8c # Version: Commits on Mar 13, 2026 ------------------------------------------------------------------------------------- Fix typo \cartidges\, ------------------------------------------------------------------------------------------ duckstation.mk 770bebf3c9bf9bcb1e85ff4d567710b7dc0b049b # Version: Commits on Mar 13, 2026 ------------------------------------------------------------------------------------------ Settings: Remove empty sections before saving, ----------------------------------------------------------------------------------- eden.mk 47ed86d3e2a138b81c194fa5386bb8dde9460b91 # Version: Commits on Mar 13, 2026 ----------------------------------------------------------------------------------- [vk] Partial return of the old buffer update logic (#3690) -------------------------------------------------------------------------------------- flycast.mk c8870682536620ed15b85755e181c78f08eb364c # Version: Commits on Mar 13, 2026 -------------------------------------------------------------------------------------- delete dcnet utility for dreampi Use https://github.com/scrivanidc/dreampi_custom_scripts instead, -------------------------------------------------------------------------------------- openmsx.mk bef559e0e2e1413ba8abbef882224a5919214c5a # Version: Commits on Mar 11, 2026 -------------------------------------------------------------------------------------- Fix OpenMSX crash when compiled against SDL2-compat OpenMSX calls SDL_SetWindowGrab before the video subsystem is initialised, which when compiled against the sdl2-compat compatibility layer causes a segfault. That didn't happen before because SDL2 has a macro called CHECK_WINDOW_MAGIC that initialised video subsystem before any attempt to reference it. But SDL2-compat doesn't use that macro and calls SDL3 functions directly, so _this in SDL3 is not initialised before _this->grabbed_window is referenced in SDL_GetGrabbedWindow, causing OpenMSX to abort., ---------------------------------------------------- pcsx2.mk v2.7.182 # Version: Commits on Mar 13, 2026 ---------------------------------------------------- - [GameDB:Paddington Bear half right fix](PCSX2/pcsx2#14141) , ----------------------------------------------------------------------------------- play.mk d35604313577ca7bad4f09dbf7022416a5cea89b # Version: Commits on Mar 13, 2026 ----------------------------------------------------------------------------------- Merge pull request #1504 from hardBSDk/patch-1 Explain how to test the latest builds, ------------------------------------------------------------------------------------- ppsspp.mk f138aed508355a5a27acce19548bf65daf85bdd3 # Version: Commits on Mar 13, 2026 ------------------------------------------------------------------------------------- Merge pull request #21424 from hrydgard/more-minor-fixes Fix control input issues when toggling the pause menu using a controller, ------------------------------------------------------------------------------------- ikemen.mk 190da1f488e428a5bc14859acb12d9a03b811fce # Version: Commits on Mar 13, 2026 ------------------------------------------------------------------------------------- style: fix code style issues with gofmt, --------------------------------------------------------------------------------------------- solarus-engine.mk 7b69cf0541964566a0e244f16ec2d03443a1f59b # Version: Commits on Mar 13, 2026 --------------------------------------------------------------------------------------------- Merge branch 'metallizer/fix-treasure-state-on-ice' into 'dev' ---------------------------------------------------------------------------------------- rpi-utils.mk 1236508f013ca82115a5907ebb942e75ab94d8af # Version: Commits on Mar 13, 2026 ---------------------------------------------------------------------------------------- Add otamaker otamaker is a tool for creating Raspberry Pi Connect Remote Update artefacts, and provided as part of the rpi-connect-ota package. It is made available here for users who want to run it on other OSes, and as a way of hosting the documentation (currently the README.md)., ------------------------------------------------------------------------------------ box64.mk 08d376c660cd60c2fdf4914fc28696338c679e5c # Version: Commits on Mar 13, 2026 ------------------------------------------------------------------------------------ [WRAPPER] Wrapped more symbols used by rpcs3 (#3665) * [WRAPPER] Wrapped more symbols used by rpcs3 * wrrrr * static build, ------------------------------------------------------------ syncthing.mk v2.0.16-rc.2 # Version: Commits on Mar 13, 2026 ------------------------------------------------------------ ## Major changes in 2.0 - Database backend switched from LevelDB to SQLite. There is a migration on first launch which can be lengthy for larger setups. The new database is easier to understand and maintain and, hopefully, less buggy. - The logging format has changed to use structured log entries (a message plus several key-value pairs). Additionally, we can now control the log level per package, and a new log level WARNING has been inserted between INFO and ERROR (which was previously known as WARNING...). The INFO level has become more verbose, indicating the sync actions taken by Syncthing. A new command line flag `--log-level` sets the default log level for all packages, and the `STTRACE` environment variable and GUI has been updated to set log levels per package. The `--verbose` and `--logflags` command line options have been removed and will be ignored if given. - Deleted items are no longer kept forever in the database, instead they are forgotten after fifteen months. If your use case require deletes to take effect after more than a fifteen month delay, set the `--db-delete-retention-interval` command line option or corresponding environment variable to zero, or a longer time interval of your choosing. - Modernised command line options parsing. Old single-dash long options are no longer supported, e.g. `-home` must be given as `--home`. Some options have been renamed, others have become subcommands. All serve options are now also accepted as environment variables. See `syncthing --help` and `syncthing serve --help` for details. - Rolling hash detection of shifted data is no longer supported as this effectively never helped. Instead, scanning and syncing is faster and more efficient without it. - A \default folder\ is no longer created on first startup. - Multiple connections are now used by default between v2 devices. The new default value is to use three connections: one for index metadata and two for data exchange. - The following platforms unfortunately no longer get prebuilt binaries for download at syncthing.net and on GitHub, due to complexities related to cross compilation with SQLite: - dragonfly/amd64 - solaris/amd64 - linux/ppc64 - netbsd/* - openbsd/386 and openbsd/arm - windows/arm - The handling of conflict resolution involving deleted files has changed. A delete can now be the winning outcome of conflict resolution, resulting in the deleted file being moved to a conflict copy. This release is also available as: * APT repository: https://apt.syncthing.net/ * Docker image: `docker.io/syncthing/syncthing:2.0.16-rc.2` or `ghcr.io/syncthing/syncthing:2.0.16-rc.2` (`{docker,ghcr}.io/syncthing/syncthing:2` to follow just the major version) ## What's Changed ### Fixes * fix(protocol): verify compressed message length before decompression by @calmh in syncthing/syncthing#10595 * fix(systemd): support overrides for syncOwnership by @Valloric in syncthing/syncthing#10602 * fix(systemd): add back chown allowed syscalls by @Valloric in syncthing/syncthing#10605 ### Other * chore(config, connections): use same reconnection interval for QUIC and TCP (fixes #10507) by @marbens-arch in syncthing/syncthing#10573 * build(deps): update dependencies by @calmh in syncthing/syncthing#10588 * chore(sqlite): reduce max open connections, keep them open permanently (fixes #10592) by @calmh in syncthing/syncthing#10596 **Full Changelog**: syncthing/syncthing@v2.0.15...v2.0.16-rc.2, ----------------------------------------------------------------------------------- xone.mk f2aa9fe01103d7600553b505b298ff0bd47ff280 # Version: Commits on Mar 13, 2026 ----------------------------------------------------------------------------------- Merge pull request #181 from pierres/fix/client-dedup dongle: fix beacon loopback and duplicate WCID allocation, ---------------------------------------------------------------------------------------- retroarch.mk b0624a720abee8b3336f100d66c7498348dff171 # Version: Commits on Mar 13, 2026 ---------------------------------------------------------------------------------------- Revert \task_save_handler improvements:\ This reverts commit 6e17be0d3fc7f23168000647c422f38e5691b744., --------------------------------------------------------------------------------------------- easyrpg-player.mk 1560cf41879ad731ec07a7b2d51f67db6c3a82ec # Version: Commits on Mar 13, 2026 --------------------------------------------------------------------------------------------- Merge pull request #3384 from florianessl/compat/PowerMode2003 Patch compatibility: Power Mode 2003, ---------------------------------------------------------- bgfx.mk v1.140.9174-518 # Version: Commits on Mar 13, 2026 ---------------------------------------------------------- add shader defines to bgfx_compile_shaders() fixes bkaradzic/bgfx.cmake#19, -------------------------------------------------------------------------------------------- vpinball-next.mk 8a1126a61585ebcfcfd0842d078b374b445c3bee # Version: Commits on Mar 13, 2026 -------------------------------------------------------------------------------------------- Properly report left flipper latency in Perf UI (min/max from button press to rotate start), ---------------------------------------------------------------------------------------- doomretro.mk 5918c6c08840c8836cd25a11279df57c5f44483e # Version: Commits on Mar 13, 2026 ---------------------------------------------------------------------------------------- Fix use of `AASTINKY` and `AASHITTY` textures being replaced with solid missing texture Fixes jetty in MAP01 of Pirate Doom 2., ---------------------------------------------------------------------------------- trx.mk a50b8dea43ce264417bc15d5da209bb2bff350c0 # Version: Commits on Mar 12, 2026 ---------------------------------------------------------------------------------- objects/gas_emitter: add gas emitter control This adds green gas emitter control used near the sarcophagi in Lud's Gate., ------------------------------------------------------------------------------------------------------- libretro-beetle-pce-fast.mk 0fa44d2500ebc9bf96d2808209be27a69006df79 # Version: Commits on Mar 13, 2026 ------------------------------------------------------------------------------------------------------- Fetch translations & Recreate libretro_core_options_intl.h, -------------------------------------------------------------------------------------------------- libretro-beetle-psx.mk ab22ffb4c53a49e3842738fb2683eba9f88d3bb8 # Version: Commits on Mar 13, 2026 -------------------------------------------------------------------------------------------------- Fetch translations & Recreate libretro_core_options_intl.h, -------------------------------------------------------------------------------------------------- libretro-clownmdemu.mk 0c29539f307e839962d71192336769e37ae28006 # Version: Commits on Mar 13, 2026 -------------------------------------------------------------------------------------------------- Ignore `unity.o`., -------------------------------------------------------------------------------------------- libretro-dice.mk 72d66a67a296b004fa0bb7a57dbab9cfcec462b9 # Version: Commits on Mar 13, 2026 -------------------------------------------------------------------------------------------- Fetch translations & Recreate libretro_core_options_intl.h, ----------------------------------------------------------------------------------------------- libretro-easyrpg.mk 1560cf41879ad731ec07a7b2d51f67db6c3a82ec # Version: Commits on Mar 13, 2026 ----------------------------------------------------------------------------------------------- Merge pull request #3384 from florianessl/compat/PowerMode2003 Patch compatibility: Power Mode 2003, --------------------------------------------------------------------------------------------- libretro-fbneo.mk ca8dd9686ba67e1b8582b358a292b5c08999aa52 # Version: Commits on Mar 13, 2026 --------------------------------------------------------------------------------------------- (libretro) update files, ----------------------------------------------------------------------------------------------- libretro-flycast.mk c8870682536620ed15b85755e181c78f08eb364c # Version: Commits on Mar 13, 2026 ----------------------------------------------------------------------------------------------- delete dcnet utility for dreampi Use https://github.com/scrivanidc/dreampi_custom_scripts instead, ------------------------------------------------------------------------------------------------ libretro-gambatte.mk d3c39fa18476ddce05027db3d29abba813fa74e2 # Version: Commits on Mar 13, 2026 ------------------------------------------------------------------------------------------------ Fetch translations & Recreate libretro_core_options_intl.h, ---------------------------------------------------------------------------------------------- libretro-ppsspp.mk f138aed508355a5a27acce19548bf65daf85bdd3 # Version: Commits on Mar 13, 2026 ---------------------------------------------------------------------------------------------- Merge pull request #21424 from hrydgard/more-minor-fixes Fix control input issues when toggling the pause menu using a controller, --------------------------------------------------------------------------------------------- libretro-vba-m.mk 1a3b05a7d1cac6c1400e9323bd7d7ec8765d5ea9 # Version: Commits on Mar 13, 2026 --------------------------------------------------------------------------------------------- translations: transifex pull Signed-off-by: Rafael Kitover <rkitover@gmail.com>,
calmh
added a commit
to calmh/syncthing
that referenced
this pull request
Mar 21, 2026
* main: (45 commits) chore(gui, man, authors): update docs, translations, and contributors chore(sqlite): reduce max open connections, keep them open permanently (fixes syncthing#10592) (syncthing#10596) fix(systemd): add back chown allowed syscalls (syncthing#10605) fix(systemd): support overrides for syncOwnership (syncthing#10602) chore(gui, man, authors): update docs, translations, and contributors fix(protocol): verify compressed message length before decompression (syncthing#10595) build(deps): update dependencies (syncthing#10588) chore: trigger rebuild chore(gui, man, authors): update docs, translations, and contributors chore(gui, man, authors): update docs, translations, and contributors chore(gui, man, authors): update docs, translations, and contributors chore(config, connections): use same reconnection interval for QUIC and TCP (fixes syncthing#10507) (syncthing#10573) chore: build with Go 1.26; use Go 1.25 features (syncthing#10570) chore(etc): add more comprehensive systemd sandboxing (syncthing#10421) fix(gui): remove width limit for language select items (syncthing#10531) fix(gui): show restarting modal during upgrade restart (fixes syncthing#1248) (syncthing#10566) chore(db): add ability to wait for programmatically started database maintenance, query last maintenance time (syncthing#10565) chore(gui, man, authors): update docs, translations, and contributors chore(gui): add id and name to Stay logged in checkbox for password managers (syncthing#10558) refactor: remove unused support for Azure blob stores ...
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Syncthing docs in https://docs.syncthing.net/users/autostart.html#permissions tell the user to set
AmbientCapabilities=CAP_CHOWN CAP_FOWNERif the user wishes to use thesyncOwnershipoption.#10421 broke
syncOwnershipfor users that followed that advice because the PR introducedCapabilityBoundingSet=which cancels out any additional capabilities granted withAmbientCapabilities.(
AmbientCapabilitiesadds capabilities;CapabilityBoundingSetlimits maximum capabilities to the specified set. SettingCapabilityBoundingSetto an empty list prevents any capabilities from being acquired in any way.)This PR fixes the breakage by explicitly setting
This does not grant any additional access rights to syncthing if the user is not explicitly setting
AmbientCapabilitiesas well, but it does loosen the sandbox a bit. An attacker compromising the syncthing process could now more easily expand their access to include CAP_CHOWN/CAP_FOWNER even if the user is not settingAmbientCapabilities.Purpose
Describe the purpose of this change. If there is an existing issue that is
resolved by this pull request, ensure that the commit subject is on the form
Some short description (fixes #1234)where 1234 is the issue number.Testing
Describe what testing has been done, and how the reviewer can test the change
if new tests are not included.
Screenshots
If this is a GUI change, include screenshots of the change. If not, please
feel free to just delete this section.
Documentation
If this is a user visible change (including API and protocol changes), add a link here
to the corresponding pull request on https://github.com/syncthing/docs or describe
the documentation changes necessary.
Authorship
Your name and email will be added automatically to the AUTHORS file
based on the commit metadata.