Page 1 of 1
SABnzbd Applying Permissions When "Permissions for completed downloads" is Blank
Posted: December 24th, 2022, 10:35 am
by DogEyedBoy
SABnzbd 3.7.1 LinuxServer Docker container Synology DSM 7.
SABnzbd is applying permissions to everything (as far as I can tell) even when the "Permissions for completed downloads" option is blank.
Debug log shows:
Code: Select all
2022-12-24 14:54:16,644::DEBUG::[filesystem:604] Applying permissions 0o100666 (octal) to...
(Had to remove the filename as "New users are not allowed to post links".)
It seems like this is unnecessary and it shouldn't be happening?
Re: SABnzbd Applying Permissions When "Permissions for completed downloads" is Blank
Posted: December 24th, 2022, 11:54 am
by sander
On your incomplete directory, right?
Happens on my SAB too, and I have Permissions blank too.
Code: Select all
2022-12-20 18:40:28,236::DEBUG::[filesystem:604] Applying permissions 0o100644 (octal) to /shared_dir/_UNPACK_test_download_1000MB.8/1GB-explanation.txt
2022-12-20 18:40:28,236::DEBUG::[filesystem:604] Applying permissions 0o100644 (octal) to /shared_dir/_UNPACK_test_download_1000MB.8/1GB.bin
Looking at the code, I think this is the reason:
Code: Select all
# Check if the file has any x-bits, no need to remove them otherwise
if custom_permissions or current_permissions & UNWANTED_FILE_PERMISSIONS:
# Mask out the X-bits
set_chmod(path, current_permissions & ~UNWANTED_FILE_PERMISSIONS, allow_failures)
So ... masking out the x-bits, because downloaded files should not be executable? In other words: Security
Re: SABnzbd Applying Permissions When "Permissions for completed downloads" is Blank
Posted: December 25th, 2022, 1:59 pm
by DogEyedBoy
Yes, this is happening in the incomplete directory but is obviously carried on through the the final file and destination.
Re: SABnzbd Applying Permissions When "Permissions for completed downloads" is Blank
Posted: December 27th, 2022, 9:43 am
by sander
DogEyedBoy wrote: ↑December 25th, 2022, 1:59 pm
Yes, this is happening in the incomplete directory but is obviously carried on through the the final file and destination.
And what is negative effect of that?
Re: SABnzbd Applying Permissions When "Permissions for completed downloads" is Blank
Posted: December 27th, 2022, 11:13 am
by DogEyedBoy
It's giving all users read and write access. I have my permissions set-up as I want them within my Synology Shared Folders, I don't need SABnzbd to do anything with permissions.
Re: SABnzbd Applying Permissions When "Permissions for completed downloads" is Blank
Posted: December 27th, 2022, 11:19 am
by sander
DogEyedBoy wrote: ↑December 27th, 2022, 11:13 am
It's giving all users read and write access. I have my permissions set-up as I want them within my Synology Shared Folders, I don't need SABnzbd to do anything with permissions.
Oh, really. Brrr.
And indeed on Synology, SAB should not touch at all user rights (AFAIK), because Synology wants to do user rights with ACL.
So ... what do you propose as solution?
Easy to leave that line out when Permission is not set. But what about the x-bit then?
Re: SABnzbd Applying Permissions When "Permissions for completed downloads" is Blank
Posted: December 27th, 2022, 2:04 pm
by jcfp
The code stripping the executable and setgid/setuser bits doesn't expand permissions (unless custom permissions are set to that effect), see the
relevant function. In the absence of custom permissions, it applies the intersection of the current permissions with the inverse of the unwanted-for-security-reasons stuff. That bitwise operation cannot add anything that wasn't there before; i.e. files only end up world-writable if they were world-writable before the function was applied.
Re: SABnzbd Applying Permissions When "Permissions for completed downloads" is Blank
Posted: December 27th, 2022, 2:29 pm
by sander
I tested with two NZBs, and can confirm what jcfp says.
https://raw.githubusercontent.com/sande ... r__400.nzb
https://raw.githubusercontent.com/sande ... on_777.nzb
only look at the bin files, which nicely arrive on my Linux with the orginal permissions set aka kept in place:
-r-------- 1 sander sander 100000000 dec 27 20:18 100MB_r__400.bin
-rw-rw-rw- 1 sander sander 100000000 dec 27 20:18 rwx_all_on_777.bin
Re: SABnzbd Applying Permissions When "Permissions for completed downloads" is Blank
Posted: December 30th, 2022, 3:19 am
by sander
So DogEyedBoy ... can you follow up?