Security for desktop application interface.


(Thiago Morais) #1

I know it is possible to apply security system with user and password for the web interface.

Is it also possible to enable this security by authentication in the desktop application interface?


(Antony Male) #2

I don’t know of any other applications which force you to log into them before you can use them. Usually, the assumption is that if someone has access to your user account, they have access to all of your stuff.

Indeed, if someone has access to your user account they don’t need the GUI - they can just go and edit Syncthing’s config directly, or access your files.

The only point of the password is to prevent other users on the same machine who are logged in at the same time from accessing Syncthing, or to prevent users from accessing Syncthing over the network (if you’ve enabled that). Neither of those apply to the desktop application.


(Martin) #3

I think part of the request comes from the idea that someone who is able to access your computer via the network is then also able to access files by connecting to the appropriate port.

As far as I know Synctrayzor, it still enables username/password of Syncthing, but does pre-supply this information parsed from the configuration file when using the embedded browser. Using your own browser or connecting to the UI port from another IP address will still require username/password.


(Antony Male) #4

You’re almost right: SyncTrayzor doesn’t care whether you set a password for Syncthing or not, because it bypasses the password mechanism (by using an API key). If you set a password for Syncthing then you’ll still be asked for it when accessing Syncthing from a web browser, but SyncTrayzor will bypass it.


(Thiago Morais) #5

My concern would be with ordinary (unknowingly) users who might eventually edit / remove sync folders.

I currently use Cubby, and this happens when the user thinks that something is wrong and wants to fix it alone, but it damages the synchronism without intension.

I solved by hiding the access icons.


(Noah Park) #6

I did this recently by adding a basic node-based central authentication system in amazon. This way whenever a user opens Syncthing, they are prompted to login before they see the main Syncthing page. Keep in mind, this has nothing to do with Syncthing running, since it runs in the background on system startup in many cases, but what this does is prevent unauthorized users from getting to the GUI to make any changes to the folders being sync’d. I’d be happy to share this code, I’m in the process of cleaning it up right now before posting on my public github and pushing an update to Syncthing.


(system) #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.