[collected] Security issues

Volumio Development Suggest a feature
1

Ok, I admit, I am a bit of a security freak (professional deformation, I guess :neutral_face:) but it really would be great to have following options available in web UI:

  1. possibility to change “pi” user’s password - leaving it at default is a security disaster in a shared network (unless we are ok with our little Pi being a part of some botnet or/and mining for bitcoins)
  2. setting and changing the password of MPD server - so not everybody who has access to my network can mess with my playlists etc.

While there is an easy workaround for the first issue (changing password via SSH) the other one is more problematic (applying new settings from web UI will overwrite manual changes in /etc/mpd.conf).

Web UI authentication is also a must (it may be optional but it must be available). Currently anyone in my network can change settings like currently used DAC, add and remove NASes, change audio buffer size, refresh MPD database over and over etc. Right now maybe this isn’t much but in the future, as more options will come, it may be even possible to damage some else’s hardware.

This may all sound like serious case of paranoia, but some of those are really serious security issues, please don’t belittle those and stay safe! :slight_smile:

2

(thumbs up)
I would support this point

I don’t have any competence in the field but just have this weird feeling of having an unsecured server in my network and on the internet might be something which is not meant to last.

So while I can’t give any competent comment on it, I am happy that someone who apparently knows more about security issues mentioned the issue and proposes some fixes. It would be great if more people with corresponding background would engage and contribute to make things evolve for the future.

Thanks and with best regards,
Nikolas

3

I have just loaded up volumio on my raspi. The first thing i noticed also is no security feature to lock out users from the setting area. It is way to easy for someone to mess things up just checking things out. im not a web programmer or webpage maker, but there has to be a simple way of having a login form for those pages when clicked on. MENU - System , library and network link.
Has anyone figured out a way to do this??

Thanks,

DrivenMad
P.S. Fantastic distro!! beautiful look and feel :slight_smile: