Package: xmms2-core Version: 0.7DrNo+dfsg-2 Severity: grave I've chosen the severity `grave' as it is suggested for issues that could "introduce a security hole allowing access to the accounts of users who use the package" http://www.debian.org/Bugs/Developer#severities
Details: - in the default configuration, xmms2d is secured using UNIX domain sockets, this is reasonably secure - however, users may be tempted to enable TCP mode, which has no security at all - the manual (easily found by Google) provides easy instructions to enable TCP mode, but no warnings about security consequences http://xmms2.org/wiki/Using_the_application Security risks: - any user with TCP connectivity can connect to the daemon, without authenticating themselves - once connected, a user is able to browse the entire filesystem of the host running xmms2d. They are browsing the filesystem using the privileges of the user who started the xmms2d process. This can be verified by connecting with the client app `promoe', clicking the menu and clicking `Server-side browser' Suggestions for the package: - put warnings in the online documentation and add a readme file with a security warning - document some strategies for using it securely on a network - add some security mechanism (e.g. digest-based authentication) - run in chroot by default - add a whitelist for server-side file browsing Suggestions for end users wanting to enable TCP networked operation: - set up a chroot (or even a dedicated virtual machine) environment to run xmms2d - set up a dedicated user account with limited access, and run the process as that user - listen on localhost only (configure the socket as tcp://127.0.0.1:port and not tcp://0.0.0.0:port) and expect network users to ssh to the machine and run the client binary on the same machine, thereby denying access to any user who can't log in to the box anyway -- _______________________________________________ Xmms2-devel mailing list Xmms2-devel@lists.xmms.se http://lists.xmms.se/cgi-bin/mailman/listinfo/xmms2-devel
