aaronmk Posted April 30, 2013 Report Share Posted April 30, 2013 Running btsync on Linux will by default create a *publicly-accessible, unprotected* WebUI, allowing anyone on the web to create a sync folder to view and edit files your files (i.e. files in directories writable by you). Could the defaults (used when running btsync without a config file) be changed to prevent this unintended data leak?A temporary workaround is to run `killall btsync` to turn off the WebUI, and then use --config with a config file that sets webui > password to a secure password. You can use `lsof -i` to verify that the WebUI is not running. Quote Link to comment Share on other sites More sharing options...
Automatic Coding Posted April 30, 2013 Report Share Posted April 30, 2013 For what it's worth, the configuration file is covered in the tutorial on the download page, although, I do agree, webUI should be limited to a LAN network if no configuration file has been provided. Quote Link to comment Share on other sites More sharing options...
aaronmk Posted April 30, 2013 Author Report Share Posted April 30, 2013 I think users will generally run btsync with no arguments to test out the command, not realizing that they are starting the WebUI daemon. Could we make btsync display the help message when run without arguments? Quote Link to comment Share on other sites More sharing options...
dashizz Posted May 1, 2013 Report Share Posted May 1, 2013 Forcing a password change on first run would be even better. Quote Link to comment Share on other sites More sharing options...
Automatic Coding Posted May 1, 2013 Report Share Posted May 1, 2013 Forcing a password change on first run would be even better.But without the --config option, I don't believe it saves any data*.*Just a note, I run btsync from the /tmp/ directory, so, it may have been that it saves to the current DIR & I restarted between uses, or, maybe it doesn't save data. I don't know. Quote Link to comment Share on other sites More sharing options...
foo Posted May 1, 2013 Report Share Posted May 1, 2013 The best fix would be for btsync web daemon to default binding to 127.0.0.1 instead of 0.0.0.0. In the meantime you can manually set that in the json config file:{ "webui": { "listen": "127.0.0.1:8888" }} Quote Link to comment Share on other sites More sharing options...
dashizz Posted May 1, 2013 Report Share Posted May 1, 2013 Even better Man I wish I knew enough Javascript to chroot the users "Add folder" option :\ Quote Link to comment Share on other sites More sharing options...
aaronmk Posted May 2, 2013 Author Report Share Posted May 2, 2013 But without the --config option, I don't believe it saves any data*.It will actually show previously-added shared folders when you restart btsync. The /tmp/SyncApp_dumps/ directory is empty, though, so I'm not sure where it stores the configuration. Maybe in the BitTorrent Sync tracker itself? Quote Link to comment Share on other sites More sharing options...
aaronmk Posted May 2, 2013 Author Report Share Posted May 2, 2013 The best fix would be for btsync web daemon to default binding to 127.0.0.1 instead of 0.0.0.0.That works as long as you are the only one with access to your computer. If btsync is running on a shared computer, any other user on the computer would also be able to access it. (Other users would also notice that someone else was already running the WebUI on port 8888.)I think ideally, the default mode for btsync would just prompt for a password to use with the WebUI, and generate (and reuse) a default config file stored in user's home directory. Quote Link to comment Share on other sites More sharing options...
aaronmk Posted May 2, 2013 Author Report Share Posted May 2, 2013 Even better Man I wish I knew enough Javascript to chroot the users "Add folder" option :\Javascript doesn't support filesystem-level security because it's browser-based. You would instead have to modify the btsync program itself (i.e. the server-side code) to support things like chroot. Modifying btsync to fix security problems would of course require the source code, which BitTorrent hasn't made public (yet?). Quote Link to comment Share on other sites More sharing options...
stallemanden Posted May 3, 2013 Report Share Posted May 3, 2013 The best fix would be for btsync web daemon to default binding to 127.0.0.1 instead of 0.0.0.0. In the meantime you can manually set that in the json config file:{"webui": {"listen": "127.0.0.1:8888"}}I would hate that the default was in this way, using btsync on NAS devices - I would not be able to gain access to it.And if you are already working with the config file - why not just set a user and password ?As mentioned, btsync works fine without having the --config option used, remembering the shares set up from start to start.So, for me when doing a first time run, prompting for user and password to be set, would be a great...no wait, awesome start. Quote Link to comment Share on other sites More sharing options...
voltagex Posted May 3, 2013 Report Share Posted May 3, 2013 Bind it to 127.0.0.1 and use an SSH port forward instead. Quote Link to comment Share on other sites More sharing options...
affinity Posted May 3, 2013 Report Share Posted May 3, 2013 I think ideally, the default mode for btsync would just prompt for a password to use with the WebUI, and generate (and reuse) a default config file stored in user's home directory.Yes, I think a conf file should always be used, automatically, with one being generated the first time if it doesn't already exist. Then when you start btsync without specifying a config file, it will use the default one, but keep the option to use an alternate conf file. Quote Link to comment Share on other sites More sharing options...
queltos Posted June 16, 2014 Report Share Posted June 16, 2014 Heya everyone Just wanted to say that I tried btsync and find it to be quite awesome in terms of usability. But I'm pretty horrified by the fact that btsync listens on 0.0.0.0 per default. As suggested before I can only recommend setting it to 127.0.0.1. If you've got a NAS with SSH/CLI, you probably have the skills to change the listen address in a config or use the -L flag in SSH. This would be security/privacy first, which is, as I understand it, a main point of what btsync is about. Using a mandatory password would be kind of ok as well I guess. Although I think a lot of people will just enter the "I'll change that later for sure"-value and forget about it. Quote Link to comment Share on other sites More sharing options...
RomanZ Posted June 16, 2014 Report Share Posted June 16, 2014 @queltos Proposed change is going to kill the usability for people who use btsync for NASes and install it via packages without any usage of SSA. It is bad that BTSync does not have an option to bind WebUI to only selected NIC, which is necessary for security-aware people - which is a good point for Feature Request forum. Quote Link to comment Share on other sites More sharing options...
aaronmk Posted June 16, 2014 Author Report Share Posted June 16, 2014 Proposed change is going to kill the usability for people who use btsync for NASes But wouldn't NAS users want their data protected, too? This would suggest that requiring the user to set a password (and warning them that their data will be wide open otherwise) is the best solution. Quote Link to comment Share on other sites More sharing options...
RomanZ Posted June 17, 2014 Report Share Posted June 17, 2014 @aaronmk WebUI requests to set the password at the very first run. It is up to user to decide if it wants to make it secure or not. Quote Link to comment Share on other sites More sharing options...
benplumley Posted June 17, 2014 Report Share Posted June 17, 2014 So is the problem here that it's not compulsory to set a password? Suppose I have a strong password on my webui, are my sync folders safe? And do potential attackers have to be on my LAN? Quote Link to comment Share on other sites More sharing options...
aaronmk Posted June 17, 2014 Author Report Share Posted June 17, 2014 WebUI requests to set the password at the very first run. Is this a new feature? I don't think it prompted for a password back when I submitted the bug, but maybe that has changed since then? Quote Link to comment Share on other sites More sharing options...
RomanZ Posted June 18, 2014 Report Share Posted June 18, 2014 @benplumleyYes, if you have a strong pass - you should be on the safe side. @aaronmkIt's not new. It was present in 1.2 for sure. During a very first run BTSync requests for a password - see screenshot below. Quote Link to comment Share on other sites More sharing options...
aaronmk Posted June 18, 2014 Author Report Share Posted June 18, 2014 @aaronmkIt's not new. It was present in 1.2 for sure. During a very first run BTSync requests for a password - see screenshot below. That must be new in 1.2, which was released on 2013-11-5, after I submitted the bug. Quote Link to comment Share on other sites More sharing options...
DediN Posted February 28, 2015 Report Share Posted February 28, 2015 Does the password set option still appear? I cannot access the GUI because its requesting login credentials that I dont know, they used to be found in the config but not anymore? Quote Link to comment Share on other sites More sharing options...
trevellyan Posted February 28, 2015 Report Share Posted February 28, 2015 You can use the config file to reset the credentials. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.