Bug#652914: security concerns with xmms2d
severity 652914 normal retitle 652914 should document how to not run xmms2d insecurely thanks - in the default configuration, xmms2d is secured using UNIX domain sockets, this is reasonably secure - however, users may be tempted to enable TCP mode, which has no security at all The existence of inadvisable configurations is not, in itself, a release-critical bug (confirmed by release team members on IRC). Downgrading this to a non-RC severity. - the manual (easily found by Google) provides easy instructions to enable TCP mode, but no warnings about security consequences http://xmms2.org/wiki/Using_the_application Happily, this appears to be a wiki, so interested users can correct this. - put warnings in the online documentation and add a readme file with a security warning Patches welcome, but this is not RC. Regards, smcv at the Cambridge BSP -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#652914: security concerns with xmms2d
Processing commands for cont...@bugs.debian.org: severity 652914 normal Bug #652914 [xmms2-core] security concerns with xmms2d Severity set to 'normal' from 'grave' retitle 652914 should document how to not run xmms2d insecurely Bug #652914 [xmms2-core] security concerns with xmms2d Changed Bug title to 'should document how to not run xmms2d insecurely' from 'security concerns with xmms2d' thanks Stopping processing here. Please contact me if you need assistance. -- 652914: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652914 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#652914: security concerns with xmms2d
On Thu, Dec 22, 2011 at 7:01 AM, Daniel Pocock dan...@pocock.com.au wrote: However, it is not so obvious that the socket allows people to browse the server filesystems - even some more advanced users may find that surprising I agree, if it wasn't for the fact that this is exactly how it works if you use XMMS2 over a unix socket. But if you would like to contribute a paragraph to the man page, patches are accepted. -- Daniel Svensson -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#652914: security concerns with xmms2d
Package: xmms2-core Version: 0.7DrNo+dfsg-2 Severity: grave I've chosen the severity `grave' as it is suggested for issues that could introduce a security hole allowing access to the accounts of users who use the package http://www.debian.org/Bugs/Developer#severities Details: - in the default configuration, xmms2d is secured using UNIX domain sockets, this is reasonably secure - however, users may be tempted to enable TCP mode, which has no security at all - the manual (easily found by Google) provides easy instructions to enable TCP mode, but no warnings about security consequences http://xmms2.org/wiki/Using_the_application Security risks: - any user with TCP connectivity can connect to the daemon, without authenticating themselves - once connected, a user is able to browse the entire filesystem of the host running xmms2d. They are browsing the filesystem using the privileges of the user who started the xmms2d process. This can be verified by connecting with the client app `promoe', clicking the menu and clicking `Server-side browser' Suggestions for the package: - put warnings in the online documentation and add a readme file with a security warning - document some strategies for using it securely on a network - add some security mechanism (e.g. digest-based authentication) - run in chroot by default - add a whitelist for server-side file browsing Suggestions for end users wanting to enable TCP networked operation: - set up a chroot (or even a dedicated virtual machine) environment to run xmms2d - set up a dedicated user account with limited access, and run the process as that user - listen on localhost only (configure the socket as tcp://127.0.0.1:port and not tcp://0.0.0.0:port) and expect network users to ssh to the machine and run the client binary on the same machine, thereby denying access to any user who can't log in to the box anyway -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#652914: security concerns with xmms2d
On Wed, Dec 21, 2011 at 8:55 PM, Daniel Pocock dan...@pocock.com.au wrote: Package: xmms2-core Version: 0.7DrNo+dfsg-2 Severity: grave I've chosen the severity `grave' as it is suggested for issues that could introduce a security hole allowing access to the accounts of users who use the package http://www.debian.org/Bugs/Developer#severities Details: - in the default configuration, xmms2d is secured using UNIX domain sockets, this is reasonably secure - however, users may be tempted to enable TCP mode, which has no security at all Maybe you could add an apt question if the user is a licensed computer driver? http://en.wikipedia.org/wiki/European_Computer_Driving_Licence -- Daniel Svensson -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#652914: security concerns with xmms2d
On Wed, Dec 21, 2011 at 11:18 PM, Daniel Svensson dsvens...@gmail.com wrote: On Wed, Dec 21, 2011 at 8:55 PM, Daniel Pocock dan...@pocock.com.au wrote: Package: xmms2-core Version: 0.7DrNo+dfsg-2 Severity: grave I've chosen the severity `grave' as it is suggested for issues that could introduce a security hole allowing access to the accounts of users who use the package http://www.debian.org/Bugs/Developer#severities Details: - in the default configuration, xmms2d is secured using UNIX domain sockets, this is reasonably secure - however, users may be tempted to enable TCP mode, which has no security at all Maybe you could add an apt question if the user is a licensed computer driver? http://en.wikipedia.org/wiki/European_Computer_Driving_Licence A more serious reply... patches accepted for the man page. It would be totally ok if you want to warn that if you open a socket that has no authorization what so ever, any person can connect to it and do the same thing as you can do. -- Daniel Svensson -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#652914: security concerns with xmms2d
On 21/12/11 23:43, Daniel Svensson wrote: On Wed, Dec 21, 2011 at 11:18 PM, Daniel Svensson dsvens...@gmail.com wrote: On Wed, Dec 21, 2011 at 8:55 PM, Daniel Pocock dan...@pocock.com.au wrote: Package: xmms2-core Version: 0.7DrNo+dfsg-2 Severity: grave I've chosen the severity `grave' as it is suggested for issues that could introduce a security hole allowing access to the accounts of users who use the package http://www.debian.org/Bugs/Developer#severities Details: - in the default configuration, xmms2d is secured using UNIX domain sockets, this is reasonably secure - however, users may be tempted to enable TCP mode, which has no security at all Maybe you could add an apt question if the user is a licensed computer driver? http://en.wikipedia.org/wiki/European_Computer_Driving_Licence A more serious reply... patches accepted for the man page. It would be totally ok if you want to warn that if you open a socket that has no authorization what so ever, any person can connect to it and do the same thing as you can do. I'm sure it's obvious to most people that the socket allows them to start and stop things in their playlist However, it is not so obvious that the socket allows people to browse the server filesystems - even some more advanced users may find that surprising It's also necessary to think about it in the context of the application: if a debugger or other tool opens a port, you can expect the end user to be fairly knowledgeable about the consequences. For a media player application, there is likely to be a much broader user base with varying levels of knowledge. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
