I do understand the motivation behind the warning and the need to warn people who are maybe not aware the issue. But there is also a fair chance that people with priviledged accounts know what they do and I respectfully ask to give them a choice to silence the warning.
Syncting is small and nimble, easily installed and more or less maintenance free when configured correctly. That makes it ideal to regularly sync configs or data from and to devices that have only a limited environment. Unfortunately user management is often missing, and in that cases the (correct) warning about Syncthing running as privledged user is displayed. Again and again.
Maybe I did not express myself correctly:
On a system where there is only one account, may it be called system, admin, root, whatever, there is only one account with which to install Syncthing. The files do belong to root, admin, system anyway. No problem here.
Iâve tried âInsecure Admin Accessâ before but it did not supress the warning. It just gives me the screenshot below:
Itâs a one-off after restart. There is no way to complete silence it, and I donât think there should be. Running a network application as a superuser is a big nono.
I have 2 devices running with this case, but I donât feel itâs annoying. On the gui for the first, I receive the advice only once, and on the other it isnât even displayed if I use the -no-browser option.
Why does it bother you ?
In some cases it has to be run as root.
SayâŚyou want to sync a Linux folder thatâs shared out via Samba. User âbobâ saves a file to it. The owner is âbobâ and the group is âdomain usersâ. The file has permissions 0660. All the domain users can do whatever they want with the file, but Syncthing canât touch it.
You can lock syncthing down quite a bit using apparmorâeven if itâs running as rootâŚso please provide a way for competent admins to disable this stupid warning.
There are some Linux devices which have only root user (/etc is read-only do no further users can be created). In this case, it would be helpful to hide the message.
You know, i agree seeing this constantly after making the conscious choice to have it setup this wayâŚis super annoying. I donât feel like a turn this off option is too much to ask. My practices may not be best, but they are what i want in the moment. What I also want is for it to work without a big yellow banner that wonât change my practices, but does anoy me because it could be telling me something important like a broken disk or conncection or something, but now i donât read the flippin warning because they all say the same irrelevant thing and now i spank that go away button so now itâs just a cry-wolf situation.
At the moment, your best bet without modifying the source code is to use custom CSS to simply hide the warning. This can be done either in the browser or through a custom theme inside Syncthing.
Otherwise, the only other way is to literally rip the code out and compile your own build of Syncthing (which Iâve been doing myself for quite a long time). Security is important but root access is basically required on Android to make full-fledged synchronisation possible (e.g. being able to modify mtime, etc.).
You think, I think. The same framework can actually limit root drop capabilities, agreed? So the uid of the process is at best a broad assumption. We are all very confident in that we are right. People can be opinionated. Tools should be tools. Do you agree?
Can we just have a command line option to disable the warning which I think would be as simple as injecting a âroot warning acknowledgedâ in the xml config at first start?
I got the message for Syncthing installed as root on a LXC Debian container on Proxmox. It seems that in this configuration, not putting the user ârootâ would have other complex consequences.
But if you have a reasonable solution for this context, Iâm willing to hear it.
I understand the motivation of the developers regarding this message, but I also understand the users who want to take on this responsibility like big boys once and for all.
So in this circus if some can put their heads in the sand, others can stick a sticker.
LXC sits in between QEMU virtual machine and a lightweight container system such as Docker.
Running Syncthing as a non-root user in a LXC container is very uneventful. Auto-starting with systemd, configuring permissions, etc. are all the same as if running in a QEMU VM or bare-metal, so no worries about potential complex consequences.
About the only thing that requires a little bit of extra effort is NFS mounts with LXC, but pointing Syncthing at a network file share isnât ideal either, so it shouldnât be a deal breaker.
Thanks gadget,
but I still donât see the reason to add an additional user.
In my context this is an Unprivileged LXC Containers,
in which I have an âUntrusted (Encrypted) Deviceâ so the container is already isolated, the encrypted content unusable even after breach, and there is still a message telling me that it is dangerous to be a root user.
Donât you think this thing is becoming religious? The same people will tell me to put an armored door for the shed in the garden (in which I go to poop).
Anyway, I moved from synctraysor to SyncthingTray and it allows me to connect to different instances directly (great) which means that I almost donât have to no more visiting the GUI for controls. Even if this one is really well done!
Thank you to the developers and contributors, I remain attentive to your objections.
