New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
syncthing: Web GUI world-accessible without credentials by default #4875
Comments
Does anyone know where Synology's UIFILE format is currently documented? The link on the wiki page to the developer documentation is broken and so far I have not found any mention in the current (DSM 7.0) version of the Developer Guide. |
I've been trying to implement an installation wizard page to ask for initial credentials. The main blocking issue now is that there is no way to apply the bcrypt hash to the entered password. It needs to be done within the DSM UI (JavaScript) or in a shell script (injected into config.xml) before the Syncthing daemon has been started for the first time (so no REST API available). DSM does have Python2 by default, but it only includes a @imsodin Any ideas how to get around that limitation? |
I guess you don't control either what's available in the JS env nor on the system? Sounds like a use-case for a new command like |
I thought about something like that as well. Or even something like EDIT: Scratch that, there is |
@imsodin I think your suggestion would work for this use-case. And it's quite elegant as well, encapsulating the implementation detail of which hashing function is used. I will open an issue on the main repo for it, would you volunteer for implementing that? Taken one step further, the fragile step of patching the user name and password into
I guess we're closing in on |
Setup
Package Name: syncthing
Package Version: v1.17.0
Expected behavior
The Syncthing Web GUI should not be accessible without any form of authentication right after installing the package.
Proposed solution is to include a new page in the install wizard that asks to choose a user name and password which will be written to the package's
config.xml
file before first service start.Actual behavior
Syncthing is accessible from any network interface without any form of authentication. This is dangerous because with access to the Web GUI, any folder can be configured for sharing by a malicious third-party. The files themselves may still be protected if the ACL rules are restrictive enough to not grant access to the user / group the syncthing process is running as.
This is based on a user complaint on the Syncthing forum. The offical project's stance is that such a dangerous default configuration should not be associated with the Syncthing brand name.
Steps to reproduce
1. Install Syncthing SPK.
2. Point a web browser to the DS port TCP/8384.
3. Observe a big fat red warning that having this GUI accessible without authentication is dangerous.
The text was updated successfully, but these errors were encountered: