Security 'warning'

with the auto-upgrade to 1.3.0, SyncTrayzor is warning me there is no username/password set for accessing syncthing. Not sure if this is an error from SyncTrayzor or one being pushed through by the upgraded SyncThing…

On the same dialog for user/pass, there is a hardcoded 127.0.0.1:xxxx address and port where SyncThing will listen. So like with any other locally-managed service on the computer, the supposed ‘hacker’ would have to have local access.

Anyway, it seems like a spurious error, and there is no inconvenient need to put a user/pass on SyncThing that I would have to enter every time I open SyncTrayzor. Seems like an ‘overreach’.

There was a change on this in 1.3.0, but if the listen address is actually 127.0.0.1:something it should not be displayed. It would be interesting to know what the actual listen address is. Syncthing shows this when it starts up, in the logs somewhere.

1 Like

Using Synctrayz0r too:

Settings show this: GUI Listen Address Help

The GUI address is overridden by startup options. Changes here will not take effect while the override is in place. 127.0.0.1:8384

[start] 17:22:48 INFO: syncthing v1.3.0 "Fermium Flea" (go1.13.1 windows-amd64) teamcity@build.syncthing.net 2019-10-01 05:34:58 UTC
[start] 17:22:49 INFO: Using large-database tuning
[aaa] 17:22:49 INFO: My ID: aaa
[aaa] 17:22:50 INFO: Single thread SHA256 performance is 321 MB/s using minio/sha256-simd (222 MB/s using crypto/sha256).
[aaa] 17:22:50 INFO: Hashing performance is 249.96 MB/s
[aaa] 17:22:50 INFO: Reinitializing delta index IDs (i love this!)
[aaa] 17:22:50 INFO: Ready to synchronize (sendreceive)
[aaa] 17:22:50 INFO: Overall send rate is unlimited, receive rate is unlimited
[aaa] 17:22:50 INFO: TCP listener (0.0.0.0:22000) starting
[aaa] 17:22:50 INFO: GUI and API listening on 127.0.0.1:8384
[aaa] 17:22:50 INFO: Access the GUI via the following URL: http://localhost:8384/
[aaa] 17:22:50 INFO: My name is "yyyy"

I do get this warning everywhere :). Maybe it is because of the localhost http address?

Yes, I think so. It sets the address to the string localhost while the warning code looks for 127.* and some other patterns. It could be fixed on either side. I think our reasoning for recognizing just the IPs is that names might resolve to surprising things at times. But we could also just take whatever the listening socket ended up being, after resolving, and that would be better.

I guess setting 127.0.0.1:8384 in Synctrayzor should also silence it.

1 Like

With this change, the warning message has disappeared :))))

1 Like

Nonetheless I think we can fix this more elegantly “server-side”. Please someone feel free to file it on GitHub. :slight_smile:

I have the same message as dr schnagel had in his first reply, in that ‘changes made here will be overwritten by startup options’.

Indicating that the setting 127.0.0.1:xxxx, is set elsewhere. I have no problem with that. It does not say ‘localhost:xxxx’, it shows exactly what I posted: 127.0.0.1:xxxx Where xxxx is the port number - I don’t have in front of me, and besides that’s irrelevant to the error.

Anyway, the authors of the app programatically set it up however they did, so you should know what port number it uses. I’m not in front of my computer, so I can’t tell you.

It wasn’t doing this with 1.2.0 or 1.2.2. Error/warning started appearing with 1.3.0.

Prior to 1.3.0 the warning was just based on the config value, even if overridden externally. In 1.3.0 it’s based on the config or the overridden value but the logic is unchanged. The logic never accounted for names like “localhost”.

What we should do is just get the address from the GUI listener, so we get in IP form whatever it actually ended up listening to.

3 Likes
2 Likes

Not to double or triple-post, I just want to be clear, since I’m in front of the terminal now:

127.0.0.1:8384

is the value. It always has been the value. I’m a new SyncTrayzor user as of one month ago. I’ve setup multiple sync folders to multiple devices, even in different timezones, which is something Mega could not handle (yeah, huge oversight on their part). Been overall pleased with it.

The error, though, is new. I did not change that listen address, it’s been the default the whole time. I notice Dr Schnagels posts his as ‘localhost:8384’, but mine has always been 127.0.0.1:8384.

Btw thanks for adding the bugtrack. Not a ‘huge’ deal, but for other people I’ve set this up for, a big red banner with the word ‘hacker’ in it is alarming, and it doesn’t need to be there in their or my situation.

I’ve already said this on the issue tracker, but I want to double check that there aren’t in fact multiple issues here:

  • Current issue is that “localhost” is interpreted differently as “127.0.0.1”. 127.x should not trigger this caution.

  • You’ve stated multiple times your listen address is “127.0.0.1:8384”: Where do you read this value from? There are multiple ways to set the listen address, what matters is what is set inside SyncTrayzor File -> Settings -> Syncthing - Listen Address. In that field you should see localhost:8384. In the GUI (Actions -> Settings -> GUI -> GUI Listen Address) it doesn’t really matter what is written there, since it’s overriden.

2 Likes

Sorry for the delay.

I see where in SyncTrayzor I can click, on the bottom-right, Settings, then click the SyncThing tab, then adjust the localhost:8384 to 127.0.0.1:8384

It didn’t make any difference in my case, so I downgraded all my clients to 1.2.2, as I can’t have them having big, spurious ‘hacker’ warning messages on their screen.

This will be fixed in a future Syncthing version, I believe

1.3.1, yes