syncthing: Web GUI world-accessible without credentials by default

[acolomb]

Setup

Package Name: syncthing
Package Version: v1.17.0

Expected behavior

The Syncthing Web GUI should not be accessible without any form of authentication right after installing the package.

Proposed solution is to include a new page in the install wizard that asks to choose a user name and password which will be written to the package's config.xml file before first service start.

Actual behavior

Syncthing is accessible from any network interface without any form of authentication. This is dangerous because with access to the Web GUI, any folder can be configured for sharing by a malicious third-party. The files themselves may still be protected if the ACL rules are restrictive enough to not grant access to the user / group the syncthing process is running as.

This is based on a user complaint on the Syncthing forum. The offical project's stance is that such a dangerous default configuration should not be associated with the Syncthing brand name.

Steps to reproduce

1. Install Syncthing SPK.
2. Point a web browser to the DS port TCP/8384.
3. Observe a big fat red warning that having this GUI accessible without authentication is dangerous.

[acolomb]

Does anyone know where Synology's UIFILE format is currently documented? The link on the wiki page to the developer documentation is broken and so far I have not found any mention in the current (DSM 7.0) version of the Developer Guide.

[acolomb]

I've been trying to implement an installation wizard page to ask for initial credentials. The main blocking issue now is that there is no way to apply the bcrypt hash to the entered password. It needs to be done within the DSM UI (JavaScript) or in a shell script (injected into config.xml) before the Syncthing daemon has been started for the first time (so no REST API available). DSM does have Python2 by default, but it only includes a crypt module, no bcrypt.

@imsodin Any ideas how to get around that limitation?

[imsodin]

I guess you don't control either what's available in the JS env nor on the system? Sounds like a use-case for a new command like syncthing cli util password-hash.

[acolomb]

Sounds like a use-case for a new command like syncthing cli util password-hash.

I thought about something like that as well. Or even something like syncthing cli gui set password. Just not sure yet where my package files (syncthing binary) are available when it is still stuck in the install wizard.

EDIT: Scratch that, there is syncthing cli config gui password set already... But that assumes a running instance, my bad.

[acolomb]

@imsodin I think your suggestion would work for this use-case. And it's quite elegant as well, encapsulating the implementation detail of which hashing function is used. I will open an issue on the main repo for it, would you volunteer for implementing that?

Taken one step further, the fragile step of patching the user name and password into config.xml could also be handled by Syncthing itself. Not by using the REST API, but doing offline XML manipulation (and validation!) only. I wouldn't mind a separate binary for that either, instead of cluttering syncthing cli:

echo -n "53cR3T" | st-config --config=/foo/bar --gui-user=admin --gui-password=-

I guess we're closing in on git config ... 😉