Permissions gone since Sonarr/Transmission update

[WolfH]

For new Package Requests, see the guidelines

Setup

Package Name: Sonarr / Transmission Package Version: Latest update

NAS Model: DS214 NAS Architecture: ARM DSM version: DSM 6.1.5-15254 Update 1

Expected behavior

Sonarr should be able to move items from the Transmission download-folder to the media-folder as it did before the update.

Actual behavior

It seems that permissions for Sonarr have been set wrong since updating to the newest version using the sc-download group. I'm getting errors like:

Couldn't import episode /volume1/homes/admin/downloads/NAME.mkv: Access to the path is denied.

I've checked the permissions in File Station and the downloads folder is owned by user sc-transmission and group sc-download (to which sonarr belongs if I'm not mistaken).

It worked fine before, this all started since updating to the new permissions-structure.

Steps to reproduce

1. Install the latest update. 2. Try to download and move a file.

[BenjV]

No that's not possible, because it has to be done on a share level and the package does not know which share they will be using.

The better question is whether the decision to use "windows ACL" instead of the linux privilege setting was the correct one. If we stay with the ACL's then the only thing we could do is give the advise to convert all shares to "windows ACL" before installing the new packages.

[smoker1000]

Why should users who were using the default default setting in DSM have to convert to ACL, when it was working fine before. I appreciate the work being done but, this should have been tested before release.

[dan2kx]

@BenjV Converting the share to ACL didn't work for me...

UPDATE: I didn't convert the other folder they were getting moved into duuuuuh! I can confirm its working for me now.

[Safihre]

@smoker1000 we have tested for months, it didn't come up. @BenjV Yes Linux permissions would be easier, and now with all packages part of sc-download is it really different than the old situation where all packages were part of users? I am starting to doubt the whole approach now since it only adds complexity.

[smoker1000]

I guess the update in my case, didn't complete for some reason and left wierd settings. Originally my TV shows folder was set as Owner-Admin, Groups-Users and all my individual tv shows folders within the folder Tv Shows had permissions of Owner-sc-nzbdrone and Group-nzbdrone

After the update the TV Shows folder stayed the same, Owner-Admin, Groups-Users and the individual tv shows folders were 95% changed to Owner-101 and Group-Users

Have no idea where the Owner-101 is coming from.

Also when a new show is added to Sonarr and it creates a new folder for the show it is created as Owner-sc-nzbdrone and Group-nzbdrone

I had tried to set the video folder as Owner-Admin and Group as both sc-media and sc-download and neither would let sonarr move the files

And now there is no way to have the package try to install again to see it it changes anything

[SX86]

@smoker1000 Uninstalling and re-installing won't change the permissions on your download and import folders. That's something you need to do yourself. Be sure to also apply the Read/Write permission recursively to all sub folders and files of you download and import folders.

Owner/User 101 is most likely the User ID of the user previously called "nzbdrone", which has now been deleted, and a new one has been created; sc-nzbdrone. The new user has most likely picked up a new UID, which needs to be used on the folders were user 101 is the owner.

[SX86]

I decided to bite the bullet, take one for the team, and convert my download and video shares to Windows ACL. For each, I gave full read/write access to the share and all of its files and subfolders to the groups sc-media and sc-download. Sonarr then proceeded to pickup some newly aired episodes, sent them to Transmission for download, Sonarr then imported the file from the download share to the video share, and voilà! Everything works like it should again! No more errors in the logs, no more warning, everything works!

What I am understanding from this is that SynoCommunity is upgrading it's packages to follow the new way permissions should be attributed to shares, folders and files starting DSM 6.0. Any packages that interact with files on your Synology NAS, these files and folders should have their permissions converted from standard linux permissions to Windows ACLs, and given the proper permissions.

[Safihre]

@BenjV @ymartin59 We cannot enforce Windows ACL but we can detect if ACL is used, right? synoacltool gives this info, right? So we could include that as a preupgrade check that errors out with an explain-text if we see the share (that we extract from the config, just walk up the dir-tree) isn't ACL?

[ymartin59]

Here are some explanation: folder in "transmission/complete" PATH may not be accessible to other users, even if in "sc-download" group because ACL/permissions were too reduce for process/shell/libc to list folder content and traverse. Probably mistake has been done because it was OK in File Station. This is fix in #3216. For "consumer" services to be able to access any "public" content, their service user will be member of "users" by default. A service that has both "producer" and "consumer" roles will write with "sc-download" group permission and read thanks to "users" (and also "sc-download") group permission. What is your opinion about it ?

[ymartin59]

@WolfH I have published again Transmission. May you please update and report feedback if your trouble is fixed. Thank you in advance

[WolfH]

@ymartin59 I had already fixed my issues earlier on by manually fixing permissions. Installed the update anyway, and it's still working, so that's good. As far as the ACL-talk goes: I'm not using ACL and it's working out great. I'm going to close this issue as it has been fixed (for me at least).

[Safihre]

@ymartin59 does this include what you proposed in #3216?

[BenjV]

@WolfH How do you know you are not using ACL? If you have a NAS on which the share were configured for the first time with DSM 5 or higher you surely have shares working with ACL's. Only shares configured before DSM 5 are still not using ACL's.

[SIRRJ]

@WolfH I have the same issue you describe but am a complete newbie to this world and would appreciate knowing the steps you took to get this fixed.

Thanks in advance.

[jwardle]

@WolfH @Safihre I'm still experiencing this permission issue after re-installing Transmission 2.93-14 (latest at time of writing) on DSM 6.1.6.

$ ls -al
drwxrwxrwx+  6            1029 users         4096 Feb  9  2013 .
drwxrwxrwx+ 11 root            users         4096 Apr  2 10:47 ..
drwxrwxrwx+  4 sc-transmission transmission  4096 Apr  2 14:45 complete

WolfH, would be good to understand what the correct permissions look like so we can replicate. The installation script does not appear to be setting the correct privileges still despite #3216

[LaChoz]

Hey guys,

Updating the post. I've also got a permission issue on my Sonarr. I tried several things :

• uninstall / reinstall with backup restore
• convert ACL download and video folder
• check permission and allow read/write to sc-download on download and video folders
• uninstall / reinstall without restoring backup

no success, I still get in my log things like : ExtraService failed while processing "access to path /Volume1..../show folder" is denied

I'm desperate for a solution ...

Thx for any help

[BenjV]

What's the point in asking the same question on multiple places in this forum? Not you have to go hunting for the answer.

[ersefuril]

After some investigations, Sonarr seems to be running via sc-nzbd+ instead of sc-nzbdrone. So, giving access permissions to sc-download group, sc-nzbdrone user or whatever is not helping.

Any idea how can we either add this sc-nzbd+ user to sc-download group or tell Sonarr to run as sc-nzbdrone user ?

ps ax | grep nzb 22361 ? Sl 3:13 /usr/local/mono/bin/mono /volume1/@appstore/nzbdrone/share/NzbDrone/NzbDrone.exe

ps u 22361 sc-nzbd+ 22361 38.0 16.4 186428 110892 ? Sl 21:11 3:13 /usr/local/mono/bin/mono /volume1/@appstore/nzbdrone/share/NzbDrone/NzbDrone.exe

[ersefuril]

I've finally solved this issue by properly setting permissions to the /video folder AND to all subfolders via FileStation. sc-download (and maybe sc-nzbdrone, just in case) groups need to have read/write acces. Do not forget to check the "apply to all subfolders" option on the bottom-left corner.

[ForumFerret]

Aaaand suddenly since middle of last week I'm also seeing Sonarr run as the user 'sc-nzbd+', which as far as I can tell doesn't exist on the system which is a neat trick.

[BenjV]

It is there, just not visible to you. It is hidden from the DSM GUI.

[Safihre]

I'd be very surprised if it ran as sabnzbd user. It's more likely that sabnzbd downloaded the file, after which Sonarr moved it (which it can, since they are both in download group) while persevering the original owner as sabnzbd.

[ForumFerret]

actually it looks like the user displaying as "sc-nzbd+" is actually an artifact of ps not having enough UID/user space to display sc-nzbdrone. setting sc-nzbdrone to have read/write access in DSM Files did indeed fix the problem.

[BenjV]

If you are using the latest package of the SynoCommunity, then I can tell you that sc-nzbd+ als well as sc-nzbdrone are artifact of the past and should be removed.

The package itself is now running as a "hidden" user and is called sc-nzbdrone which is part of the group sc-download. You cannot see that user in the DSM GUI, but you should see sc-download. Permissions to access files and folder should be given via this group sc-download.

[ymartin59]

Some properties/permissions UI allow to grant access to hidden service user account (typically in Control Panel / Shared Folder / Permissions), but requires administrative rights. We recommend permission management thanks to sc-download group, which is allowed from File Station for standard users.

[ymartin59]

Please refer to https://github.com/SynoCommunity/spksrc/wiki/Permission-Management

[mathieu-f]

If you are still looking for a solution, you just have to add sc-sickbeard-custom user (I use SickRage but Sonarr works the same) to transmission group :

$ sudo synogroup --member transmission my-admin sc-sickbeard-custom sc-transmission

Please, note that synogroup --member literally set member list, not just add a new user. So do not forget to check the member list of transmission group before you set a new list :

$ sudo synogroup --get transmission
Group Name: [transmission]
Group Type: [AUTH_LOCAL]
Group ID:   [190144]
Group Members:
0:[my-admin]
1:[sc-sickbeard-custom]
2:[sc-transmission]

Hope this will help.

[BenjV]

If you have a group called transmission then either you are using an old version or it is a leftover from a past installation. So adding these users to that group does not do anything at all unless you have an old transmission or an transmission package from another source.

And please do not use the hiddden users starting with sc- for anything. Alle privileges can and must be set via the groups sc-media and sc-download. File permission are the same as the permission of the folder it is put in. If accesss is a problem most likely it is because file permission settings from the folder and the subfolders were created before the new DSM 6 packages. So use FileStation to give the groups sc-media and sc-downlod access rights to those folders and subfolders (recursive).

[lordvalium]

I have the same problem. Updated transmission and can not unrar the content downloaded with transmission.

[BenjV]

The solution is already written in the post before yours.

[lordvalium]

@BenjV thank you. But i dont really understand it. That are my configts, and unrar is still not working. Why is that so complicated? No previous version as my DS918+ was quite new.

[BenjV]

It is not complicated, you are just lacking knowledge.

Use FileStation to select the Folder "video" Right click and choose properties. Go to Permission and select sc-download. Tick the box below-left which says "Apply to this folder, subfolders and files" Click "OK"

Explanation:

File's and subfolders get the same permission as the folder they are created in. So if for example the shared folder "video" was created before you added the permission for the group sc-download to it, the permissions for the already existing subfolders and files were not changed. You have to do that yourself with the help of FileStation.

[lordvalium]

Thank you @BenjV . I checked that (already) ;). And sc-download has read/write on the folder (recursive). And the user i am logged in DSM is in the group sc-download. Hmm what can i do now? Aren't there any log files i could consult?