How sensitive is config.xml?

vdsijds · October 9, 2023, 8:28pm

Hi,

I’m wondering if it is safe to share the config.xml file of a device in public (e.g. Github, etc) or could this be exploited somehow?

tomasz86 · October 9, 2023, 9:34pm

Your Web GUI password in a hashed form is there, and also all device names, folder paths, etc. It depends how sensitive they are for you. I wouldn’t share mine for sure.

vdsijds · October 10, 2023, 8:26pm

So if I understand you correctly, it does not compromise syncthing’s security, but might expose personal information. Thank you!

Nummer378 · October 10, 2023, 10:12pm

Isn’t the API key also stored in the config? You definitely shouldn’t expose that, since it grants full access to syncthing (if someone is able to connect to the GUI port)

bt90 · October 11, 2023, 5:23am

Wait, what? We store the API key as plaintext?

acolomb · October 11, 2023, 7:04am

Yes.

bt90 · October 11, 2023, 1:57pm

I know the security implications of leaking a user created password and an autogenerated API key are a bit different, but why don’t we store them both as a hash? Solely relying on file permissions to guard this secret seems risky to me.

The chance of a user accidentally publishing his config file is not zero. Case in point: this thread

gadget · October 11, 2023, 3:42pm

One complication is that all of the usual password hashing algorithms are designed to be one-directional.

For example, the web GUI password requires users to enter their password so that Syncthing can rehash it for comparison against the hash stored in config.xml – i.e. Syncthing doesn’t “know” what the password is, it only knows what the hash is.

The API key is technically a “shared secret”. If the API key were hashed for storage in config.xml, the user would need to supply the non-hashed API key so that Syncthing’s web GUI could then submit it to the REST API backend (who only has the hashed version) for verification. User’s using the REST API interface directly already store the API key externally, but it could be inconvenient for the web GUI users unless they’re using a password manager.

One workaround would be to store the API key in a separate XML file to reduce the chances of a user exposing it while posting their config.xml online.

johntk22 · April 8, 2024, 7:44pm

no it is not safe to share config.xml file publicly on synching device. It contains sensitive information like device IDs, encryption keys that can be exposed.