[tredre3]

Even leaving aside that the password is sent to the server when using the web ui, seafile's security leaves a lot to be desired.

For example file names, modification dates, sizes, and other meta data is NOT encrypted. This is a big deal if you sync something like your home folder (things like your browser cache or even Downloads folder may leak a LOT of info).

The defaults on the (self-hosted) server are also very insecure and there's no mention of anything in the installation guide.

It's a shame because Seafile is so much better than things like nextcloud in my experience and there truly is nothing else like it; It really is just as convenient as using google drive!

[KlatchianMist]

> The defaults on the (self-hosted) server are also very insecure..

Could you elaborate on this? Which defaults do you consider insecure? Are there ways to trivially change some values for more security?

Not pushing back on your statement, just curious to know more about it.

[tredre3]

1. When you install Seafile you get two services: Seahub that binds to 127.0.0.1 and Seafile that binds to 0.0.0.0 and this isn't explained why one is public and the other isn't. Evidently they expect you to proxy both services, so why make one public at all? To be fair they briefly mention it as an optional step of the optional nginx section, which I hadn't seen before your comment so shame on me!

2. My other issue is that the installation guide doesn't tell you to create a user for seafile and manually start the service as this user. Most services are installed as root and started as root and I would expect most users to do just that. There is nothing inherently wrong with seafile not setuid()ing itself or its install script not creating a user, but it should mention it in the guide.

(To be fair they're really pushing the docker method now and I expect manual installation to be deprecated.)