[WebUI chroot option]

Have you considered creating a chroot jail yourself and running BTSync within? I haven't tried it, but this may work...

http://ubuntuforums....d.php?t=1156240

I honestly don't think this path should be needed as it simply increases the overhead. Looking over the recent changelog I saw something similar to this request however it didn't work for me. Anyone else have any luck with this issue?

[Latest Sync Build: 1.1.70]

There is Sync new build: 1.0.130

[..]

Fixed: access to files outside of sync folder

Can you please advise on this fix? Upon selecting "Add folder" the webui is still listing '/' vs 'storage_dir'.The daemon is running under the related system user, even went as far as copying the binary to their storage_dir and running it there but no dice.

Am I mistaken in thinking it's the same chroot issue I previously pointed out?

[Latest Sync Build: 1.1.70]

Awesome! Thanks guys!

[WebUI chroot option]

I also tried the following to set the chroot manually per-say but for some reason the directory never lists:

- unpack user/.sync/webui.zip

- change:

webui.js:14: var ROOT_PATH = "/";

to:

var ROOT_PATH = "/home/user/btsync";

jqueryFileTree.js:39: if( o.root == undefined ) o.root = '/';

to

if( o.root == undefined ) o.root = '/home/user/btsync';

- repack webui.zip

- chattr +ia webui.zip so that restarting the daemon doesn't reset webui.zip

- restart btsync daemon

The list simply sits blank, didn't see any console errors/related server log entries. My JS understanding is pretty limited Ideas anyone?

[security hole in Linux WebUI makes all your files publicly accessible]

Even better Man I wish I knew enough Javascript to chroot the users "Add folder" option :\

[Wishlist (Archive)]

WebUI "Add folder" chroot option as mentioned in -

Thanks for all the hard work!

[security hole in Linux WebUI makes all your files publicly accessible]

Forcing a password change on first run would be even better.

[WebUI chroot option]

Hi all,

I just recently came across BTSync and plan on mass deployment. My main concern is that the "Select Folder" option in the WebUI (Linux) lists everything starting in '/'. Could you possibly have the WebUI chrooted to the "dir" location from the conf or introduce "chroot" as an available option? For example, user 'qwerty' would have something along the following set in the conf:

"dir" : "/home/btsync/users/qwerty",

"chroot" : "/home/btsync/users/qwerty",

Then when user "qwerty" logs into the WebUI, and clicks "Add folder", their home/root path would be chrooted to the above value(s) and not '/' on the box. I'm sure others would like to see the same implemented in a multi-user environment.

Detrimental common usage scenario:

The average user will run the btsync daemon under the root account other than start it under a new/other system user. By doing so, the standard btsync user will be able to add otherwise sensitive file/folder locations to it's share via the WebUI - such as shadow hashes, plaintext database configuration files found on the server, etc. This poses a huge security risk for any shared environment as otherwise imposed system restrictions will be easily circumvented.

I hope you take the chroot option into consideration