After updating the Synology NAS DS216+II to the latest version of DSM 6 I detected, that the up to date version of FreeFileSync 64 is not any longer compatible.
It is still able to compare directories and copy files without copying DACL, SACL, Owner, Group.
But FreeFileSync is not any longer able to copy files, if the option "Copy DACL, SACL, Owner, Group" is enabled.
FreeFileSync fails with this error message:
The permissions of MyFileName cannot be read.
ERROR_PRIVILEGE_NOT_HELD: The client lacks a required right. [GetFileSecurity]
Here MyFileName is the file to be copied including permissions from a share on the Synology NAS.
Compatibility problem with Synology DSM 6.2.4-25556 Update 2
- Posts: 5
- Joined: 30 Sep 2021
- Posts: 5
- Joined: 30 Sep 2021
The Synology NAS is member of a Windows Domain and the client computer with FreeFileSync is member of the same Windows domain.
- Posts: 5
- Joined: 30 Sep 2021
Hints for solving the compatibility problem:
The FreeFileSync error message indicates that the error occurs when calling the GetFileSecurity function.
The GetFileSecurity function obtains specified information about the security of a file or directory. The information obtained is constrained by the caller's access rights and privileges.
To read the owner, group, or DACL from the security descriptor for the specified file or directory, the DACL for the file or directory must grant READ_CONTROL access to the caller, or the caller must be the owner of the file or directory.
To read the SACL of a file or directory, the SE_SECURITY_NAME privilege must be enabled for the calling process.
The fact, that the FreeFileSync error message contains the expression ERROR_PRIVILEGE_NOT_HELD, indicates, that this is exactly, what is no longer fulfilled, after the DSM software update was installed on the Synology NAS.
To enable the SE_SECURITY_NAME privilege the functions LookupPrivilegeValue and AdjustTokenPrivileges can be used. See: https://www.tenouk.com/ModuleK.html
The FreeFileSync error message indicates that the error occurs when calling the GetFileSecurity function.
The GetFileSecurity function obtains specified information about the security of a file or directory. The information obtained is constrained by the caller's access rights and privileges.
To read the owner, group, or DACL from the security descriptor for the specified file or directory, the DACL for the file or directory must grant READ_CONTROL access to the caller, or the caller must be the owner of the file or directory.
To read the SACL of a file or directory, the SE_SECURITY_NAME privilege must be enabled for the calling process.
The fact, that the FreeFileSync error message contains the expression ERROR_PRIVILEGE_NOT_HELD, indicates, that this is exactly, what is no longer fulfilled, after the DSM software update was installed on the Synology NAS.
To enable the SE_SECURITY_NAME privilege the functions LookupPrivilegeValue and AdjustTokenPrivileges can be used. See: https://www.tenouk.com/ModuleK.html
-
- Site Admin
- Posts: 7048
- Joined: 9 Dec 2007
The error message is misleading. SE_SECURITY_NAME is already held (you can check this via Process Explorer). The issue seems to lie more with trying to copy SACL_SECURITY_INFORMATION. The network share doesn't allow this apparently.
So a "Copy DACL, Owner, Group" might work in this case.
So a "Copy DACL, Owner, Group" might work in this case.
- Posts: 5
- Joined: 30 Sep 2021
I use the FreeFileSync 11.14 program in a Windows domain on another Windows 10 machine to which I connect via RemoteDesktop.
I connect using the account domainname\Administrator.
Using ProcessExplorer, I found that the SE_SECURITY_NAME permission, referred to here as SeSecurityPrivilege, has a value of "Disabled" on the FreeFileSync program.
Before updating the DSM software to version "DSM 6.2.4-25556 Update 2" on our Synology NAS, FreeFileSync 11.13 worked fine here. This update contains many security related changes. After updating the DSM software to version "DSM 6.2.4-25556 Update 2" on our Synology NAS, FreeFileSync 11.13 was not able to work as long as the option "Copy DACL, SACL, Owner, Group" was enabled. An Update to FreeFileSync 11.14 did not help.
Finally, I installed FreeFileSync 11.14 on my own computer. Here I do not use the account domainname\Administrator, but the account domainname\username.
This user is member of the group domainname\Administrators.
The ProcessExplorer does not list the SeSecurityPrivilege permission for the FreeFileSync program on my computer.
It is recommended to grant the SE_SECURITY_NAME permission, also known as SeSecurityPrivilege, to your own program only as long as this permission is actually needed, and then revoke this permission from your own program.
FreeFileSync needs this permission only during synchronization and probably only if the option "Copy DACL, SACL, Owner, Group" is enabled.
Both the dynamic granting of the permission and the dynamic revoking of the permission can be done using the two functions LookupPrivilegeValue and AdjustTokenPrivileges, as implemented in the SetPrivilege function on https://www.tenouk.com/ModuleK.html.
I connect using the account domainname\Administrator.
Using ProcessExplorer, I found that the SE_SECURITY_NAME permission, referred to here as SeSecurityPrivilege, has a value of "Disabled" on the FreeFileSync program.
Before updating the DSM software to version "DSM 6.2.4-25556 Update 2" on our Synology NAS, FreeFileSync 11.13 worked fine here. This update contains many security related changes. After updating the DSM software to version "DSM 6.2.4-25556 Update 2" on our Synology NAS, FreeFileSync 11.13 was not able to work as long as the option "Copy DACL, SACL, Owner, Group" was enabled. An Update to FreeFileSync 11.14 did not help.
Finally, I installed FreeFileSync 11.14 on my own computer. Here I do not use the account domainname\Administrator, but the account domainname\username.
This user is member of the group domainname\Administrators.
The ProcessExplorer does not list the SeSecurityPrivilege permission for the FreeFileSync program on my computer.
It is recommended to grant the SE_SECURITY_NAME permission, also known as SeSecurityPrivilege, to your own program only as long as this permission is actually needed, and then revoke this permission from your own program.
FreeFileSync needs this permission only during synchronization and probably only if the option "Copy DACL, SACL, Owner, Group" is enabled.
Both the dynamic granting of the permission and the dynamic revoking of the permission can be done using the two functions LookupPrivilegeValue and AdjustTokenPrivileges, as implemented in the SetPrivilege function on https://www.tenouk.com/ModuleK.html.
-
- Site Admin
- Posts: 7048
- Joined: 9 Dec 2007
This shouldn't be the case. Did you check directly *after* the above error message comes up? Also make sure to check FreeFileSync_x64.exeUsing ProcessExplorer, I found that the SE_SECURITY_NAME permission, referred to here as SeSecurityPrivilege, has a value of "Disabled" on the FreeFileSync program. solid, 01 Oct 2021, 13:03
- Posts: 5
- Joined: 30 Sep 2021
The SeBackupPrivilege, SeDebugPrivilege, SeRestorePrivilege and SeSecurityPrivilege permissions are actually enabled while the error message is displayed.
The user, under which the program runs, is domainname\Administrator according to Process Explorer. The user domainname\Administrator has full access to the file to be copied as effective access according to "Windows Explorer".
The user, under which the program runs, is domainname\Administrator according to Process Explorer. The user domainname\Administrator has full access to the file to be copied as effective access according to "Windows Explorer".
-
- Site Admin
- Posts: 7048
- Joined: 9 Dec 2007
So in other words, it seems we have this situation: viewtopic.php?t=8804&p=31450#p31390The SeBackupPrivilege, SeDebugPrivilege, SeRestorePrivilege and SeSecurityPrivilege permissions are actually enabled while the error message is displayed.
The user, under which the program runs, is domainname\Administrator according to Process Explorer. The user domainname\Administrator has full access to the file to be copied as effective access according to "Windows Explorer". solid, 04 Oct 2021, 18:08
