Synology Photo Station permissions

Getting Photo Station to work on my Synology DiskStation has been quite a pain due to the way permissions are handled. Photo Station basically expects all photo files to be world-readable, i.e. use the default permissions:

drwxrwxrwx    2 myuser   users         4096 Apr 18 19:18 Test

In my setup I have more strict permissions in order to solve these two problems:

  1. World-readable files will give anyone with access to the photo share access to all files. I have friends with login to my Linux server, which can use a mounted NFS share to access the files.
  2. Access through UPnP/DLNA will give unlimited access to all files, since there are no privilege control in the protocol. Inviting friends to use your wireless network will also invite them to see all your private photos.

So I’ve created a dlna group, containing the admin user, and set the group permission on all my pictures:

drwxr-x---    4 myuser   dlna          4096 Mar 29 22:35 Test

This approach will completely break Photo Station. To understand why, we must first understand the design a little bit. First of all, we have the scanner (/usr/syno/bin/convert-thumb) which runs as root. This will create all the different versions of the photos in the @eaDir sub directory:

DiskStation> ll
drwxrwxrwx   39 root     root          4096 Mar 11 17:29 .
drwxr-x--x    3 myuser   dlna          4096 Mar 11 17:29 ..
drwxrwxrwx    2 root     root          4096 Feb 10 14:19 IMG_0001.JPG

DiskStation> ll IMG_0001.JPG
drwxrwxrwx    2 root     root          4096 Feb 10 14:19 .
drwxrwxrwx   39 root     root          4096 Mar 11 17:29 ..
-rwxrwxrwx    1 root     root         66199 Feb 10 14:19 SYNOPHOTO:THUMB_B.jpg
-rwxrwxrwx    1 root     root        145956 Feb 10 14:19 SYNOPHOTO:THUMB_L.jpg
-rwxrwxrwx    1 root     root         28540 Feb 10 14:19 SYNOPHOTO:THUMB_M.jpg
-rwxrwxrwx    1 root     root          4830 Feb 10 14:19 SYNOPHOTO:THUMB_S.jpg
-rwxrwxrwx    1 root     root        341283 Feb 10 14:19 SYNOPHOTO:THUMB_XL.jpg

The scanner itself doesn’t have a problem, since it runs a root, thus will always be able to access the files. However, the created files are all world-readable.

Next, we have the web server running the Photo Station application. This is where the problems start, since the server is run with user nobody/group nobody. This is a clever choice, since the web server should run using an unprivileged user. However, it does give us a bit of a headache, since this user will not have access to anything not being world-readable – which conflicts with our requirement.

A number of attempts to fix this using alternate permissions ultimately failed. It tried to do the following:

  1. Leave the @eaDir directories with default permissions.
  2. Set all structure directories (not containing pictures) to drwxr-xr-x, which would allow the web server to traverse through all these directories.
  3. Set the last directory (containing the actual pictures) to drwxr-x–x, allowing the web server to access the directory.
  4. Set the picture files to drwxr—–.

This almost worked. The media server cannot see the directory contents, thus won’t display any pictures (unless allowed by the dlna group permissions). The web server can still access all the thumbnails in @eaDir. However, it won’t be able to display the original picture, since we removed the access to all the original pictures. Also, NFS access is still problematic, since anyone knowing there’s an @eaDir directory inside each directory will have full access to all the scaled down images.

The solution

The only real solution for this problem, as I see it, is to change the user or group the web server runs as. The web server configuration is stored in /usr/syno/apache/conf/httpd.conf-user. This configuration includes /usr/syno/etc/sites-enabled-user/*.conf, which in my setup is limited to /usr/syno/etc/sites-enabled-user/SYNO.SDS.PhotoStation.conf. Since the web server is only used for the single purpose of running Photo Station, I could simply edit /usr/syno/apache/conf/httpd.conf-user like this, replacing nobody as group:


#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User photostation
Group dlna

This solved the problem, as I could go back to my strict permissions. In case you have multiple virtual hosts and only want to change the user or group for Photo Station, the Apache module apache2-mpm-itk might be interesting. If you manage to compile the module for the Freescale PowerQUICC III MPC8543 CPU, let me know. 🙂 The module should be placed in usr/syno/apache/modules/.

Permanent redirection to default host in Apache

A few weeks ago at work, I needed to rename a webhost. To avoid breaking a lot of links to the old hostname, I set up permanent redirection, but ran into an infinite loop. I tried both a simple Redirect statement like this:

Redirect permanent / http://newhost/

And the same thing using mod_rewrite. I have done this many times before at home, but what was special about this case is that the web server was set up as default host. So I just added a virtual host with the old hostname. Eventually I got it to work with mod_rewrite by using a RewriteCond statement to break the loop:

<VirtualHost *:80>
ServerName oldhost

<IfModule rewrite_module>
RewriteEngine on
RewriteCond %{HTTP_HOST} oldhost
RewriteRule ^/(.*)$ http://newhost/$1 [R=permanent,L]
</IfModule>
</VirtualHost>

However, I’m still not sure why this is neccesarry, since the first rewritten URL should end at the default host which doesn’t rewrite anything.

Building Courier-Authlib 0.65.0 on CentOS 5

Today I wanted to upgrade Courier-Authlib from 0.63.0 and read this in the ChangeLog:

2010-03-06 Sam Varshavchik

* Remove the bundled libtdl library. Require the system-installed
libltdl library.

As expected, this gave me some problems with my old CentOS 5.9 release:

/bin/sh ./libtool –tag=CC –mode=link gcc -g -O2 -Wall -I.. -I./.. -export-dynamic -dlopen libauthuserdb.la -dlopen libauthpam.la -dlopen libauthshadow.la -dlopen libauthcustom.la -dlopen libauthpipe.la -o authdaemondprog authdaemond.o libltdl/libltdlc.la libcourierauthcommon.la liblock/liblock.la libhmac/libhmac.la md5/libmd5.la sha1/libsha1.la rfc822/libencode.la numlib/libnumlib.la -ldl
libtool: link: cannot find the library `libltdl/libltdlc.la’ or unhandled argument `libltdl/libltdlc.la’
make[2]: *** [authdaemondprog] Error 1
make[2]: Leaving directory `/usr/local/src/courier-authlib-0.65.0′
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/local/src/courier-authlib-0.65.0′
make: *** [all] Error 2

I fixed this by adding this line to my build script (after configure):
sed -i -e 's/^LIBLTDL = ${top_build_prefix}libltdl\/libltdlc.la/LIBLTDL = -lltdl/' Makefile

Update, February 15th 2013: Today I found out that in a freshly installed VMware machine with CentOS 5.9, ltdl was missing. So I needed to add the following in my pre-build script as well:
rpm -q libtool-ltdl >/dev/null
if [ $? != 0 ]; then yum -q -y install libtool-ltdl; fi
rpm -q libtool-ltdl-devel >/dev/null
if [ $? != 0 ]; then yum -q -y install libtool-ltdl-devel; fi

Update, December 7th 2015: I wanted to build 0.66.4 today, and the problem reappeared. Luckily, I found this posting which saved me some time. Updated ‘sed’ command:
sed -i -e 's/^LIBLTDL = $(top_build_prefix)libltdl\/libltdlc.la/LIBLTDL = -lltdl/' Makefile

The downfall of Samsung

First of all, I’m a big Samsung customer. I own two Samsung LCD TV’s, a PC monitor, a cellphone, a Blu-ray player and a hard drive. Heck, I even own a Samsung vacuum cleaner. I don’t own any Apple products. So this is not about the ongoing Samsung vs. Apple patent war or me dishing Samsung because I’m an Apple fanboy. It’s about me being a critical, but fair, customer.

In January I bought a top-of-the-line 55″ LED Smart TV – UE55D8005. This is a very nice TV, but the “Smart” also makes it a computer – a computer that needs software.

Next, in June I also bought a smartphone, Galaxy S3 – finally making the switch from my ancient HTC Desire (that became useless because of the lack of internal memory – but that’s a completely different story).

I’m relatively satisfied with both products. However, I’m not at all impressed by Samsung’s understanding of software and product life cycles. It seems that Samsung abandons software support for a specific model almost before the last item has shipped.

The TV came with a Galaxy 5″ Wi-Fi tablet. This tablet came with an app called Samsung Smart View. A nice little app to control the TV and even stream video from the TV to the tablet. However, this app is not compatible with Samsung Galaxy S3, their flagship smartphone. It’s been four months now, so why is this still not working? I contacted Samsung about this issue, but didn’t get any useful answers. I asked four times before I got confirmation that they were even aware of the issue, but their support is completely broken.

Yesterday Netflix was introduced in Denmark. So I also asked Samsung how to get the Netflix application for the TV back – I couldn’t find it anywhere, but I knew that the app exists for my model and works with the American Netflix. Their support couldn’t help me with this, but told me that the latest TV models (E models) would get an update today or tomorrow.

What’s the point of all this? Samsung simply don’t get it. Not being able to integrate a top model of their TV’s with the current top model smartphones is ridiculous. There are so many reasons why this would make sense. Just to name a few features that would be nice to have on the phone:

  • Remote control.
  • Using the phone as a keyboard.
  • Scheduling timed recordings.
  • Automatic pause/time shifting when the phone rings.

The TV also integrates with services on the net, for example YouTube. Samsung cannot just abandon the firmware once a new TV model has been released – and render “old” models useless when services change and need software upgrades. At least not if they want customers to stick. I don’t get it. Is the logic that I will buy a new TV only nine months after buying a 2.000 € TV – only to get the latest software? If this is the case, they are doomed – I’d never buy another Samsung Smart TV after experiencing a complete lack of support and upgrades once.

Then there’s the poor quality of the software. I prefer Android to iOS because of its open nature. But everything Samsung has built on top of Android sucks. Period. Just to name a few:

  • TouchWiz: Well, this is actually decent, but has some stupid bugs – like folders opening on their own. So annoying.
  • Calendar: First of all, it’s ugly. When creating new events, it always defaults to “Samsung Calendar”. Who would prefer Samsung Calendar to Google Calendar – and what is Samsung Calendar? What’s up with the up/down arrows when setting date and time – why not use a scroll wheel? And how about some nicer widgets for the calendar?
  • ChatON, Samsung Apps, S Suggest: Who cares about these things?
  • Sometimes it wants me to connect to my Samsung account, but doesn’t say why. If the wrong password is typed in, the application leaves and prompts for both username and password again. They shouldn’t release software that works like this.

To summarize, Samsung is a hardware company in a software world. They have no talent for writing software whatsoever, and they don’t even manage to support and integrate their own products. Apple and Google get this. This is why I believe Samsung will have a very hard time, once the competition is ready to take them out. Like Google killed Altavista in the late 1990’s. Like Netflix killed Blockbuster. I know I’m ready for an alternative to both Apple and Samsung.