I tried to uninstall the Spotify and Spotify Connect plugins, and got this error:
A basic function like this should work properly. I ended up using ssh and deleting spop and volspotconnect2 from the /data/plugins/music_service folder.
1 Like
You give no details about volumio version. No details in how you install plugins, and of others plugins are installed, if you manually installed other packages…
This feature use to work properly… I think it is the first time this error is reported using plugin installation page.
I am running the latest Volumio update (3.211)
I had the stable plugin releases of Spotify (v2.0.3) and Spotify Connect2 (v3.0.7)
Other installed plugins:
- Roon Bridge
- YouTube2
- YouTube Cast Receiver
- Music Services Shield
All plugins installed in the normal way using the Volumio web interface, and no manual installations.
I upgraded to Volumio 3 in mid December (new SD card, not over-the-air update) and installed all the plugins around that time. I have been running the system since then with no changes except a few system updates when I saw that a Volumio update was available. Volumio has been stable for me and I’ve had no issues until yesterday when I decided to uninstall the Spotify plugins.
Ok thanks for info. Does it occurs for both plugin? Maybe something in v3.211?
Edit I tested with Spotify and no issue… what happened?
I had an idea that uninstalling any plugin might fail. Now I tried to uninstall YouTube Cast Receiver and indeed it did fail.
Here is log: http://logs.volumio.org/volumio/VICiyhG.html
I copied below where it uninstalls the plugin, and it says an authentication error for user=volumio.
Something I did do when I installed Volumio 3 is go into ssh and change the password from the default “volumio”. Is this the cause of the problem?
I couldn’t even change the password back to “volumio” now because the system rejects “volumio” as too simple for a new password. I think it is a big security risk to leave Volumio open with the default password. Someone can easily get in and do serious damage on your local network.
Here is an excerpt from the log:
Jan 30 09:49:48 pi2aes volumio[858]: info: Starting Uninstall of plugin music_service - ytcr
Jan 30 09:49:48 pi2aes volumio[858]: info: Uninstalling plugin ytcr
Jan 30 09:49:48 pi2aes volumio[858]: info: Disabling plugin ytcr
Jan 30 09:49:48 pi2aes volumio[858]: info: Checking if uninstall.sh is present
Jan 30 09:49:48 pi2aes volumio[858]: info: Executing uninstall.sh
Jan 30 09:49:48 pi2aes sudo[1244]: pam_unix(sudo:auth): authentication failure; logname= uid=1000 euid=0 tty= ruser=volumio rhost= user=volumio
Jan 30 09:49:51 pi2aes sudo[1244]: pam_unix(sudo:auth): conversation failed
Jan 30 09:49:51 pi2aes sudo[1244]: pam_unix(sudo:auth): auth could not identify password for [volumio]
Jan 30 09:49:51 pi2aes sudo[1244]: volumio : 1 incorrect password attempt ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/sh /data/plugins/music_service/ytcr/uninstall.sh
Jan 30 09:49:51 pi2aes volumio[858]: info: Uninstall script return the error Error: Command failed: echo volumio | sudo -S sh /data/plugins/music_service/ytcr/uninstall.sh > /tmp/installog
Jan 30 09:49:51 pi2aes volumio[858]: [sudo] password for volumio: Sorry, try again.
Jan 30 09:49:51 pi2aes volumio[858]: [sudo] password for volumio:
Jan 30 09:49:51 pi2aes volumio[858]: sudo: no password was provided
Jan 30 09:49:51 pi2aes volumio[858]: sudo: 1 incorrect password attempt
Jan 30 09:49:52 pi2aes volumio[858]: info: Tunnel connection is inactive, restarting it
Jan 30 09:49:52 pi2aes volumio[858]: info: Starting Tunnel 1
Jan 30 09:49:52 pi2aes volumio[858]: info: Starting Tunnel Connection Checker
Jan 30 09:49:53 pi2aes sudo[1251]: volumio : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/systemctl restart sshtunnel.service
Jan 30 09:49:53 pi2aes sudo[1251]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 30 09:49:53 pi2aes autossh[1211]: received signal to exit (15)
Jan 30 09:49:53 pi2aes systemd[1]: Stopping MyVolumio SSH Tunnel...
Jan 30 09:49:53 pi2aes systemd[1]: sshtunnel.service: Main process exited, code=killed, status=15/TERM
Jan 30 09:49:53 pi2aes systemd[1]: sshtunnel.service: Succeeded.
Jan 30 09:49:53 pi2aes systemd[1]: Stopped MyVolumio SSH Tunnel.
Jan 30 09:49:53 pi2aes systemd[1]: Started MyVolumio SSH Tunnel.
Jan 30 09:49:53 pi2aes sudo[1251]: pam_unix(sudo:session): session closed for user root
Yes, changing password is the root cause… This is an old, unsolved issue in volumio.
I hope everybody agrees that it should be possible to change the password without breaking the app. I’m a longtime software engineer but haven’t worked directly in Linux or Raspberry Pi. The concept of the root password being a hardcoded, published string leaves me a bit speechless. It is a vulnerability that will be exploited.
I noticed another case of changing password causing a problem. I’ve been seeing a red warning box appear briefly during bootup, but didn’t look further because I haven’t noticed anything broken.
I’m using the Music Services Shield plugin and I see now that the error message comes from the plugin using the sudo command and passing it hardcoded “volumio” as password. When I changed the password, it effectively broke this plugin.
I’m not a security specialist but even I see that some re-architecture is needed. You don’t want to wake up one day and discover that Volumio installations worldwide are getting infected.
Good to know. Now I understand, why some functions were not working. So I changed the passwords back to the original ones.
I fully agree with you @metro . This is a big vulnerability. 
Are there any plans from the development team to fix this soon?
I mentioned this earlier:
I couldn’t even change the password back to “volumio” now because the system rejects “volumio” as too simple for a new password.
I learned that if you change the password while in superuser mode, it won’t check for simple password. First run the command sudo -s, then run the command passwd volumio to change the password for user volumio, and enter “volumio” as the new password. After rebooting, things that were broken are working again.
Maybe I should check periodically if my RPi is running hot, because it might be crypto mining 
or encrypting my NAS 
Resetting the password is not my problem. It is even easier with the following command:
sudo passwd volumio
I think the developers should basically fix the problem so that the password of the volumio user can be changed.
In the “sudoers” manual it is described how to execute defined commands under another user without knowing his password. See:
man sudoers
and search for “PASSWD and NOPASSWD”:
By default, sudo requires that a user authenticate him or herself before running a command. This behavior can be modified via
the NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that follow it in the Cmnd_Spec_List.
Conversely, the PASSWD tag can be used to reverse things. For example:
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm as root on the machine rushmore without authenticating him‐
self. If we only want ray to be able to run /bin/kill without a password the entry would be:
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
the fewer commands are specified, the more secure this solution is. This would be a simple interim solution, which would already increase the security of the devices a little after the users change the password of the volumio user.
1 Like