Hi,
in these times of lockdown, I’d like to help some friends of mine, in a very small company, to work remotely and share stuff using Syncthing (great tool, thanks a lot to its developers). They own a QNAP NAS which contains a lot of their stuff (of course they also have external backups). The NAS sits behind an “internet box” provided by the ISP, that ensures a rather good security (there’s no way to initiate a communication from the outside to their NAS). They already have Syncthing on their Windows workstations and PCs at home and the only machine outside of their Syncthing network is the NAS. It’s possible to install Syncthing on the NAS but it will then run with admin rights (it’s a limitation with QNAP NASes). I know this topic has already been addressed here and there on this forum but I’m still not completely sure of all the ins and outs, so here are a few questions:
Security-wise, supposing that their Syncthing network only comprises this NAS and their workstations, what is the level of threat? I’m asking because the NAS is itself on a rather safe LAN thanks to the internet box and backups are made every day. I understand that there is some form of “theoretical” risk, but security is always a trade-off and I’m wondering what are the actual risks: intuitively, there is no interest for a cracker in attacking them (because they don’t even make money…) while a bot would have to be quite specific to attack a Syncthing network featuring a node with admin rights… Seems much easier to get my friends to open a mail attachment containing a ransomware…
On the technical side, I read somewhere that the admin rights will also have an impact on read and write rights on stored files. When does it happen exactly? Is it only if you add a file on the NAS itself or even with files obtained from other Syncthing nodes? I had found that someone was constantly running a cron script to put correct rights to files (using e.g. chmod), which is something I would be ready to do. But perhaps there are other known ways?
A final note: until now, I considered installing the Syncthing package provided in the usual QNAP format (they call it qpkg). In that case, it runs as a normal process. Another, more tedious, possibility for me would be to install a Syncthing docker image. Do you think it would be advantageous in terms of security or file rights w.r.t. the qpkg solution? In that case, I saw there are several such docker images: which one do you recommend? Any particular thing I should know, any particular configuration I should not forget?
It’s a very lengthy post with either non-questions (statements) or abstract questions.
Also, it talks about generic things like permiter security or the security docker provides where syncthing is in no way special than any other application that happens to use the internet, hence the answer to these questions are available on the general internet.
If you have syncthing specific questions you should try to summarise into a few short syncthing specific questions.
OK sorry about that, I guess it just reflects the fact that, being a layman end user, I only have basic understanding of ST, networks and security. Let’s try to be more concrete. Hope it’ll be better.
So, I’d like to to set up a small (< 10 known nodes) Syncthing network comprising one node where ST is run with admin rights (and I can’t change that).
On the security side:
How could an attacker get admin rights by exploiting this situation? I’m asking this to assess the likelihood and practical consequences.
Apart from not running as admin, are there ways to, at least, mitigate this threat by configuring my ST network in a certain way?
Regarding configuration of a QNAP NAS (for people who’ve done it before):
Running as admin, files and folder may have problematic permissions for users. How do you ensure users can read and write shared files?
Do you recommend using the available QPKG or a docker image (in the latter case, which one? can you share your docker script?), and why?
I think it’s a bit of a “predict the future” type of question. If we’d know how an attacker could exploit things, we’d try to prevent it, but the fact that we don’t know, doesn’t mean it’s not possible. I can imagine a few different ways you could take over a machine if you got access to the GUI etc.
No not really. You should simply not run as admin, as I can’t see a reason why you must run as admin.
QNAP:
If syncthing runs under user X, all the files it downloads are owned by user X, as syncthing doesn’t sync ownership. So as long as you are accessing files as user X, there should be no permission issues.
It’s up to you. I have no idea who’s responsible for publishing the qpkg. I think we publish a synology package but I have no idea if its the same thing or not, as I don’t own a nas and have very little understanding about their ecosystem. We publish a docker image to dockerhub, so you can use that if you want, but I am not sure what you are referring to when you say docker script. I guess you mean docker build file, but you don’t need that as the image is already built and available on dockerhub.
Thank you for your help. I understand it can be tedious to answer questions that may appear too vague…
Of course, one can’t foresee the future but people designing systems often have a certain “threat model” in mind.
I’m not too afraid of connections to the GUI, as the said node will be in the company network, which is protected from connections from outside by the ISP box (which contains a firewall). My fear is rather how feasible it is to take control using the ST network itself: would it be possible to inject malicious software on the admin-running node from another, infected node of the network? Also, is there a possibility for relay or discovery servers to do such an injection?
I agree with you but, this is, from what I gather, the way packages for QNAP NASes work. This is why I was asking about Docker: I thought that running ST with normal user rights in a docker image, even the said image runs with admin rights, would add a level of protection.
We don’t have a threat model, we’re just a bunch of geeks that drink beer and write code in our spare time.
Everything is hackable, it’s just a matter of how much money you are willing to throw at the problem. If you are NSA with a quantum computer, cracking TLS is probably easy at which point you can exploit something in syncthing or some 1 million dollar value zero day in go itself to run god knows what.
I am not sure what sort of answer you are looking for. Do we think syncthing is implemented securely? Yes. Have we formally verified it’s secure? No. Have we had the code audited? No. Can you do bad things if you comprised things? Probably.
Docker does provide a level of isolation, but docker runs as root, so I guess if you escaped syncthing you’d still have escape docker, yet escaping docker has happened multiple times in the past, so take it as you will.