Skip to content

Syncing file system permissions

Overview

Resilio Active Everywhere Agents can synchronize Standard and Special NTFS permissions as well as POSIX.1 permissions.

Cross-platform synchronization of file permissions

Using High Availability Groups on a system that cannot apply the replicated permissions (for example, Linux with replicated NTFS permissions, or vice versa) should be avoided. This may lead to unexpected permission issues and access problems. Always ensure that HA groups are used on systems with compatible file permission structures.

Syncing NTFS permissions

Resilio offers the following modes for synchronizing NTFS permissions:

  • Don't sync Owner - In this mode, Resilio Agents synchronize the user’s SID and permissions even if the user is not known to the target system. Once the target OS recognizes the user, it resolves the SID to the proper username. The Active Everywhere Agent must run as the Local System user to synchronize permissions.
  • Sync full ACL - Similar to the above, but also includes the file/folder owner. Hosts must be in the same domain for the new owner to be applied, and Resilio Agent must run as the Domain Admin user. If the target system does not know this user, the ownership will be assigned to the user who runs the Agent service.
  • Re-apply local inherited permissions (applicable to Resilio Active Everywhere 3.0.0 and newer) - When synchronizing files, Agent places partial downloads in the service .sync directory. This parameter forces the Agent to reset the file's local permissions, inheriting them from the parent folder instead of the .sync folder.

To change the NTFS permission synchronization mode, edit the Job Profile and update the Synchronize NTFS permissions parameter's value accordingly.

Synchronize NTFS Permissions Modes

NTFS permissions are preserved on non‑NTFS file systems and are only applied when the file reaches NTFS storage.

Local admin required

The user account running the Agent must be a local administrator or Local System to synchronize permissions.

Memory consumption

  • Memory consumption may double when syncing NTFS permissions depending on the number of ACLs applied per file (applicable to pre-3.0 versions).
  • Agents running version 3.0 may consume more RAM than expected during folder merge for pre‑seeded folders. Once the merge is complete, RAM usage decreases.

Info

For the Agent to sync permissions, especially for files accessed over SMB, the service account must have Read permissions, Change permissions, and Take ownership rights.

360005850800

RW to RW synchronization

If your destination contains no data, but you plan to synchronize bi-directionally in the future, it is strongly recommended to:

  • Create the root folder on the empty destination in advance.
  • Ensure that this folder does not inherit permissions from its parent and that its permissions match those on the source, including inherited permissions.

Otherwise, the Agent may synchronize top‑level permissions from the destination RW machine’s root folder back to the source.

Pre-seeded RW to RW folders synchronization

If you plan bi‑directional synchronization and your destination already contains files and folders, it is strongly recommended to select the Reference Agent in the Job. Otherwise, Agents may randomly assign ownership of certain folders, leading to scrambled permissions.

Synchronizing NTFS permissions across different OS - configuring default ACL

Info

This section covers the following use cases:

  • The Job is configured to synchronize NTFS file access permissions.
  • Some Agents or storages do not support these permissions (e.g., cloud storage, Linux Agent).

When ACLs differ or are missing, the Agent attempts to synchronize them to remote Agents. For this to work, the same ACLs (owners, groups, user IDs and/or names) must be available on all Agents involved. In some cases, this is not possible—for example, with cloud storage or Linux systems that do not support NTFS file permissions.

The concept of default ACLs is to assign an Owner, group, and SDDL to files using custom parameters in the Job profile. These ACLs are applied during synchronization in environments where native NTFS permissions are unsupported. Current default values are:

  • owner, Parameter name: default_usid. Default value: O:S-1-1-0 (everyone)
  • group, Parameter name: default_gsid. Default value: G:S-1-1-0 (everyone)
  • acl, Parameter name: default_sddl. Default value: D:AI (always inherit)

When files are synchronized from a Windows Agent to a Linux Agent, the current file permissions are synced and stored on the Linux Agent.

When files are synchronized from Linux to Windows, these defaults are applied. For the Agent to change ownership permissions, the Agent service must run as Local System, not as Admin. Otherwise, the Failed to set owner and group error will appear.

In case when only Windows Agents are involved, these parameters don't play any role.

Syncing POSIX.1 permissions and ACLs

File systems on Linux‑based and macOS operating systems implement at least one level of file access permissions: POSIX.1, which allows configuration of basic read‑write‑execute permissions for the owner, group, and all other users.

Resilio Active Everywhere can synchronize these permissions in two modes—by ID and by name—controlled by a setting in the Job Profile. POSIX permissions are preserved on non‑POSIX file systems and are only applied when files or folders are transferred to a POSIX‑compatible file system.

Root required

Synchronizing POSIX permissions always requires the Agent to run with root privileges.

Memory consumption

  • Memory consumption may double when syncing Posix permissions depending on the number ACLs applied per file.
  • Agents of version 3.0 may consume more RAM than expected during folder merge for pre-seeded folders. Once folder merge is complete, RAM consumption reduces.

Synchronizing permissions by ID

When a permission set is delivered to another machine, the file or folder receives the same owner and group IDs as on the source machine. This ensures permissions are always synchronized, even for non‑existing users. However, administrators should be aware of two caveats:

  • If the target machine has no relevant UID or GID registered in /etc/passwd, the user and group names may appear as numeric identifiers instead of names.
  • If the target UID is associated with a different user, the arriving files or folders will belong to that user.

Therefore it is recommended to ensure that the set of UIDs and GIDs match on both source and target hosts.

Synchronizing permissions by name

When a permission set is delivered to another machine, the Agent attempts to find the user and group with the same names and assign them to the file or folder. If the appropriate user or group does not exist, the Agent fails to deliver permissions and reports an error in the Management Console.

Synchronizing permissions by owner group

When a permission set is delivered to another machine, the Agent attempts to find the owner group with the same name and assign it to the file or folder. If the group does not exist, the Agent fails to deliver permissions and reports an error in the Management Console.

ACLs for macOS and Linux

POSIX.1 permissions lack flexibility, such as assigning multiple users and groups to a single item or providing more granular access. To address this, permissions were extended with Access Control Lists (ACLs). While ACLs are standard on macOS, there is no common standard across Linux distributions.

ACL synchronization is not officially supported by Resilio Active Everywhere. You may attempt to synchronize them by delivering extended attributes, but results are not guaranteed.