Synology Photo Station permissions

Getting Photo Station to work on my Synology DiskStation has been quite a pain due to the way permissions are handled. Photo Station basically expects all photo files to be world-readable, i.e. use the default permissions:

drwxrwxrwx    2 myuser   users         4096 Apr 18 19:18 Test

In my setup I have more strict permissions in order to solve these two problems:

  1. World-readable files will give anyone with access to the photo share access to all files. I have friends with login to my Linux server, which can use a mounted NFS share to access the files.
  2. Access through UPnP/DLNA will give unlimited access to all files, since there are no privilege control in the protocol. Inviting friends to use your wireless network will also invite them to see all your private photos.

So I’ve created a dlna group, containing the admin user, and set the group permission on all my pictures:

drwxr-x---    4 myuser   dlna          4096 Mar 29 22:35 Test

This approach will completely break Photo Station. To understand why, we must first understand the design a little bit. First of all, we have the scanner (/usr/syno/bin/convert-thumb) which runs as root. This will create all the different versions of the photos in the @eaDir sub directory:

DiskStation> ll
drwxrwxrwx   39 root     root          4096 Mar 11 17:29 .
drwxr-x--x    3 myuser   dlna          4096 Mar 11 17:29 ..
drwxrwxrwx    2 root     root          4096 Feb 10 14:19 IMG_0001.JPG

DiskStation> ll IMG_0001.JPG
drwxrwxrwx    2 root     root          4096 Feb 10 14:19 .
drwxrwxrwx   39 root     root          4096 Mar 11 17:29 ..
-rwxrwxrwx    1 root     root         66199 Feb 10 14:19 SYNOPHOTO:THUMB_B.jpg
-rwxrwxrwx    1 root     root        145956 Feb 10 14:19 SYNOPHOTO:THUMB_L.jpg
-rwxrwxrwx    1 root     root         28540 Feb 10 14:19 SYNOPHOTO:THUMB_M.jpg
-rwxrwxrwx    1 root     root          4830 Feb 10 14:19 SYNOPHOTO:THUMB_S.jpg
-rwxrwxrwx    1 root     root        341283 Feb 10 14:19 SYNOPHOTO:THUMB_XL.jpg

The scanner itself doesn’t have a problem, since it runs a root, thus will always be able to access the files. However, the created files are all world-readable.

Next, we have the web server running the Photo Station application. This is where the problems start, since the server is run with user nobody/group nobody. This is a clever choice, since the web server should run using an unprivileged user. However, it does give us a bit of a headache, since this user will not have access to anything not being world-readable – which conflicts with our requirement.

A number of attempts to fix this using alternate permissions ultimately failed. It tried to do the following:

  1. Leave the @eaDir directories with default permissions.
  2. Set all structure directories (not containing pictures) to drwxr-xr-x, which would allow the web server to traverse through all these directories.
  3. Set the last directory (containing the actual pictures) to drwxr-x–x, allowing the web server to access the directory.
  4. Set the picture files to drwxr—–.

This almost worked. The media server cannot see the directory contents, thus won’t display any pictures (unless allowed by the dlna group permissions). The web server can still access all the thumbnails in @eaDir. However, it won’t be able to display the original picture, since we removed the access to all the original pictures. Also, NFS access is still problematic, since anyone knowing there’s an @eaDir directory inside each directory will have full access to all the scaled down images.

The solution

The only real solution for this problem, as I see it, is to change the user or group the web server runs as. The web server configuration is stored in /usr/syno/apache/conf/httpd.conf-user. This configuration includes /usr/syno/etc/sites-enabled-user/*.conf, which in my setup is limited to /usr/syno/etc/sites-enabled-user/SYNO.SDS.PhotoStation.conf. Since the web server is only used for the single purpose of running Photo Station, I could simply edit /usr/syno/apache/conf/httpd.conf-user like this, replacing nobody as group:


#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User photostation
Group dlna

This solved the problem, as I could go back to my strict permissions. In case you have multiple virtual hosts and only want to change the user or group for Photo Station, the Apache module apache2-mpm-itk might be interesting. If you manage to compile the module for the Freescale PowerQUICC III MPC8543 CPU, let me know. 🙂 The module should be placed in usr/syno/apache/modules/.