Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#22130 - [mediatomb] default configuration of MediaTomb exposes filesystem to network

Attached to Project: Community Packages
Opened by Dietrich Epp (depp1) - Friday, 17 December 2010, 15:40 GMT
Last edited by Jonathan Conder (PirateJonno) - Monday, 27 December 2010, 00:48 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Jonathan Conder (PirateJonno)
Architecture x86_64
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Description:

Installed MediaTomb per instructions on the wiki. Default configuration leaves entire file system accessible to anyone on the network. Granted, this only includes files accessible by all, but these files should not be readable to people that do not have system accounts.

According to bug reporting guidelines, since this is an "exploitable security issue in either a core or outward-facing service package", it is marked critical. I wouldn't mind if the package were in AUR, but I'd expect packages in community not to expose my filesystem to everyone on the network.

Additional info:

Package version is mediatomb 0.12.1-2

Steps to reproduce:

1. Install mediatomb: "pacman -S mediatomb"
2. Make missing config directory (unrelated bug): "mkdir /var/lib/mediatomb/.mediatomb"
3. Run mediatomb: "/etc/rc.d/mediatomb start" (Note: this creates a default configuration file. You can view it at "/var/lib/mediatomb/.mediatomb/config.xml".)
4. From another computer, open port 50500 in a web browser
5. Select "Filesystem" > "etc", click on the "+" next "passwd" file.
6. Select "Database" > "PC Directory" > "etc", click on "passwd"

You have now downloaded the "/etc/passwd" file. Thank goodness for shadow passwords.
This task depends upon

Closed by  Jonathan Conder (PirateJonno)
Monday, 27 December 2010, 00:48 GMT
Reason for closing:  None
Additional comments about closing:  Added a warning for the security-conscious
Comment by Jonathan Conder (PirateJonno) - Monday, 20 December 2010, 02:59 GMT
I didn't create the .mediatomb directory in the package because I expected Arch users to set up their own configuration. I guess it couldn't hurt to have a more secure default config though. My preference is probably just to disable the "PC Directory" folder. Do you have any other suggestions?
Comment by Jonathan Conder (PirateJonno) - Wednesday, 22 December 2010, 02:45 GMT
Actually it looks like there's no way to disable the PC Directory on the web interface. You'll have to report this upstream I'm afraid. I would disable the web interface entirely but it seems that people use it to import their media (I don't personally but like I said before people should choose their own setup). There is an "accounts" feature but it wouldn't improve security if the username and password were part of the package.
Comment by Dietrich Epp (depp1) - Sunday, 26 December 2010, 11:30 GMT
  • Field changed: Percent Complete (100% → 0%)
If the bug can't be fixed, it shouldn't be in the community repository. Move it to AUR where users are expected to treat packages with caution. This is a huge gaping security flaw you can drive a bus through.
Comment by Andrea Scarpino (BaSh) - Sunday, 26 December 2010, 11:31 GMT
@ PirateJonno
I don't agree with depp1, but IMHO you should add a post_install/post_upgrade message that says to people to fix their configs.
Comment by Jonathan Conder (PirateJonno) - Sunday, 26 December 2010, 12:03 GMT
@depp1: The bug can be fixed, but not without a little effort from an interested party. I don't see this as a serious security flaw. I don't know why anyone would run mediatomb on an untrusted network, but even if they did there isn't really much to exploit. Sure, someone might learn some usernames, but why bother when the root user is enabled by default?

@BaSh: Fair enough. I think instead I will disable the web interface by default and have a message to tell people to enable with care.
Comment by Jonathan Conder (PirateJonno) - Sunday, 26 December 2010, 12:45 GMT
Actually, even that isn't really feasible. Securing the default configuration might lull people into a false sense of security when running mediatomb as a normal user (rather than nobody), for which the generated configuration will not be secure. Ideally the web interface would be off by default there, so a patch is welcome, but I doubt it would be accepted upstream. Indeed, they mention this security issue in the documentation but don't seem to care. Anyway, I think I'll just stick with a message.

Loading...