severity 404460 normal
thanks
Alexander Kurtz <kurtz.a...@googlemail.com> wrote:
Hi,
> [1] The web interface can be accessed remotely
> => local access only
That's intended, I don't know why you think it's a bug.
> [2] There is a default password set, which is "mt-daapd"
> => lock admin account per default, set no password
Debatable.
> [3] The password isn't checked if you're coming via localhost
> => check password
Only if no password is set in the config file, and there's one by
default.
> [4] /etc/mt-daapd.conf stores the admin-pw as clear text
> and is world-readable.
It's not world-readable, the postinst adds a statoverride and makes it
mode 0600. If you've upgraded, it's possible you fell into a window of
time during which the statoverride was mishandled. (that predates my
involvment with mt-daapd)
So check the statoverrides for /etc/mt-daapd.conf. Could also be the
result of using a careless editor used to edit the config file.
> => store the password using a salted hash OR
> use the root password like the CUPS webinterface does
Hashed password can be done, but requires some invasive changes, is
a significant deviation from upstream and breaks the ability to simply
edit the config file to change the password. Violates the principle of
least surprise for the user, so it's not that great.
> This is an absolute security nightmare! Even worse, according to Joshua
> Kwan, only [3] and [4] have been (partially) fixed so far.
I have some reserves about Joshua's views on mt-daapd, though I do
share some of his concerns.
> Honestly, installing mt-daapd is IMHO not better than setting your
> root-pw to "root" and installing a ssh server!
mt-daapd is not running as root, so that's just pure FUD. Put down
your crack pipe.
To recap:
1. is bullshit,
2. is debatable, but really not a big deal either, it's a matter of
policy,
3. is wrong, plain and simple,
4. is wrong on the permissions, correct on the plaintext password.
I don't see a bug here, yet. Wishlist bugs, yes, CRITICAL SECURITY
BUGS OMGWTFBBQ WE'RE ALL DOOMED ZOMG!!11!!1!!11111, certainly NOT.
I'm certainly interested in fixing real bugs in mt-daapd, that being
said, the mt-daapd package in Debian is probably the best version of
mt-daapd you can find due to the patches I've collected or written...
Upstream being in the sorry state it is, if I were to go and do some
extensive patching, Debian (read: me) would become the de facto
upstream, and I'm not sure I want to do that just yet.
I've been scratching that itch, though.
JB.
--
Julien BLACHE - Debian & GNU/Linux Developer - <jbla...@debian.org>
Public key available on <http://www.jblache.org> - KeyID: F5D6 5169
GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
