SABnzbd Applying Permissions When "Permissions for completed downloads" is Blank

[DogEyedBoy]

SABnzbd 3.7.1 LinuxServer Docker container Synology DSM 7.

SABnzbd is applying permissions to everything (as far as I can tell) even when the "Permissions for completed downloads" option is blank.

Debug log shows:

Code: Select all

2022-12-24 14:54:16,644::DEBUG::[filesystem:604] Applying permissions 0o100666 (octal) to...

(Had to remove the filename as "New users are not allowed to post links".)

It seems like this is unnecessary and it shouldn't be happening?

[sander]

On your incomplete directory, right?

Happens on my SAB too, and I have Permissions blank too.

Code: Select all

2022-12-20 18:40:28,236::DEBUG::[filesystem:604] Applying permissions 0o100644 (octal) to /shared_dir/_UNPACK_test_download_1000MB.8/1GB-explanation.txt
2022-12-20 18:40:28,236::DEBUG::[filesystem:604] Applying permissions 0o100644 (octal) to /shared_dir/_UNPACK_test_download_1000MB.8/1GB.bin

Looking at the code, I think this is the reason:

Code: Select all

        # Check if the file has any x-bits, no need to remove them otherwise
        if custom_permissions or current_permissions & UNWANTED_FILE_PERMISSIONS:
            # Mask out the X-bits
            set_chmod(path, current_permissions & ~UNWANTED_FILE_PERMISSIONS, allow_failures)

So ... masking out the x-bits, because downloaded files should not be executable? In other words: Security

[DogEyedBoy]

Yes, this is happening in the incomplete directory but is obviously carried on through the the final file and destination.

[sander]

Yes, this is happening in the incomplete directory but is obviously carried on through the the final file and destination.

And what is negative effect of that?

[DogEyedBoy]

It's giving all users read and write access. I have my permissions set-up as I want them within my Synology Shared Folders, I don't need SABnzbd to do anything with permissions.

[sander]

It's giving all users read and write access. I have my permissions set-up as I want them within my Synology Shared Folders, I don't need SABnzbd to do anything with permissions.

Oh, really. Brrr.

And indeed on Synology, SAB should not touch at all user rights (AFAIK), because Synology wants to do user rights with ACL.

So ... what do you propose as solution?

Easy to leave that line out when Permission is not set. But what about the x-bit then?

[jcfp]

The code stripping the executable and setgid/setuser bits doesn't expand permissions (unless custom permissions are set to that effect), see the relevant function. In the absence of custom permissions, it applies the intersection of the current permissions with the inverse of the unwanted-for-security-reasons stuff. That bitwise operation cannot add anything that wasn't there before; i.e. files only end up world-writable if they were world-writable before the function was applied.

[sander]

I tested with two NZBs, and can confirm what jcfp says.

https://raw.githubusercontent.com/sande ... r__400.nzb
https://raw.githubusercontent.com/sande ... on_777.nzb

only look at the bin files, which nicely arrive on my Linux with the orginal permissions set aka kept in place:

-r-------- 1 sander sander 100000000 dec 27 20:18 100MB_r__400.bin
-rw-rw-rw- 1 sander sander 100000000 dec 27 20:18 rwx_all_on_777.bin

[sander]

So DogEyedBoy ... can you follow up?