Describe the problem, feature or ask a question:

The systray-icon process runs as root (at least when launched from cron). This allows it to lauch the BiT GUI as root without authentication. It indeed does not request authentication when one clicks the "Start Back in Time" button in the right-click menu of the systray icon. If one gains access to GUI running as root, they can read any backed-up file, and also overwrite any file by using the Restore feature.

A trivial solution to this problem would be to ask for the password (the root password, or the password of the user who owns the BiT profile that is doing the backup) when the user clicks the "Start Back in Time" button, and maybe also when the "View Last Log" button is clicked.

A more correct solution would be to run the icon process unpriviledged. If this is implemented, this would possibly restrict some of the functionality of the icon, e.g. it could not access the logs of other users' BiT profiles, and the pause/resume/stop feature would stop working altogether. To fix this, the icon process would need to use an IPC mechanism to communicate with the backup process.

Introducing IPC mechanisms for communicating between GUI elements (be they the systray icon, or the BiT GUI itself) and the backend would have implications for #694. But I think that for now, it would be more feasible to just implement a prompt asking for the password, with the systray-icon process still running as root.