Activitywatch: ActivityWatch doesn't behave well on multiuser systems

Created on 18 Jun 2017  路  4Comments  路  Source: ActivityWatch/activitywatch

Tried starting two instances of ActivityWatch today on the same computer (different users, Windows).

I was surprised to see the other users data when I opened localhost:5600, then I realized that it's not that strange since they use the same port.

What did surprise me was that I got no error about the server being unable to bind the port. I guess things work differently in the Windows world.

So this has a few issues:

  • Users could read the data from other users running ActivityWatch.
  • Two users cannot run ActivityWatch on the same port (well, they can, but only the person first starting the server will store all the data since the second server will crash on start when it can't bind the port)

This issue is present with other software as well, such as Syncthing. The basic workaround seems to be to just add the ability to run it on different ports. But this has some privacy issues if we don't also add the ability to password-protect the server.


Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

!pinned security low bug

Most helpful comment

@johan-bjareholt Just FYI: You can set the label !pinned to avoid stalebot marking it as stale. See config here: https://github.com/ActivityWatch/activitywatch/blob/42bf20c6a9115b246926a8c8156106e32489e30f/.github/stale.yml#L6-L9

All 4 comments

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@johan-bjareholt Just FYI: You can set the label !pinned to avoid stalebot marking it as stale. See config here: https://github.com/ActivityWatch/activitywatch/blob/42bf20c6a9115b246926a8c8156106e32489e30f/.github/stale.yml#L6-L9

Someone mentioned this on the forum: https://forum.activitywatch.net/t/manjaro-linux-kde-multiuser-pc/941/2

A potential solution would be to implement support for something similar to what Syncthing does, by allowing the user to configure a local password. This could then be picked up by watchers from a file in the user's home directory, or manually provided by the user as would have to be the case for aw-watcher-web.

Such a solution might overlap partly or entirely with what is implemented in https://github.com/ActivityWatch/aw-server-rust/pull/185

However, real protection from local threats on the local machine is somewhat futile. Unless you have a very well set up system with either full disk encryption (or encryption of the user's home directories) with carefully set user permissions where no other user has sudo/root, there will always be the possibility that another user on the same system snoops.

I understand this can be a bit frustrating to some, like those with a shared family computer, but unless someone else takes this on, it's unlikely that we (me and @johan-bjareholt) will work on this anytime soon.

Was this page helpful?
0 / 5 - 0 ratings