Debian Bug report logs - #652914
should document how to not run xmms2d insecurely

version graph

Package: xmms2-core; Maintainer for xmms2-core is Benjamin Drung <bdrung@debian.org>; Source for xmms2-core is src:xmms2.

Reported by: Daniel Pocock <daniel@pocock.com.au>

Date: Wed, 21 Dec 2011 19:57:02 UTC

Severity: normal

Found in version xmms2/0.7DrNo+dfsg-2

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Benjamin Drung <bdrung@debian.org>:
Bug#652914; Package xmms2-core. (Wed, 21 Dec 2011 19:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Pocock <daniel@pocock.com.au>:
New Bug report received and forwarded. Copy sent to Benjamin Drung <bdrung@debian.org>. (Wed, 21 Dec 2011 19:57:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Daniel Pocock <daniel@pocock.com.au>
To: submit@bugs.debian.org
Subject: security concerns with xmms2d
Date: Wed, 21 Dec 2011 20:55:57 +0100
Package: xmms2-core
Version: 0.7DrNo+dfsg-2
Severity: grave

I've chosen the severity `grave' as it is suggested for issues that
could "introduce a security hole allowing access to the accounts of
users who use the package"
http://www.debian.org/Bugs/Developer#severities

Details:

- in the default configuration, xmms2d is secured using UNIX domain
sockets, this is reasonably secure

- however, users may be tempted to enable TCP mode, which has no
security at all

- the manual (easily found by Google) provides easy instructions to
enable TCP mode, but no warnings about security consequences
http://xmms2.org/wiki/Using_the_application

Security risks:

- any user with TCP connectivity can connect to the daemon, without
authenticating themselves

- once connected, a user is able to browse the entire filesystem of the
host running xmms2d.  They are browsing the filesystem using the
privileges of the user who started the xmms2d process.  This can be
verified by connecting with the client app `promoe', clicking the menu
and clicking `Server-side browser'

Suggestions for the package:

- put warnings in the online documentation and add a readme file with a
security warning

- document some strategies for using it securely on a network

- add some security mechanism (e.g. digest-based authentication)

- run in chroot by default

- add a whitelist for server-side file browsing

Suggestions for end users wanting to enable TCP networked operation:

- set up a chroot (or even a dedicated virtual machine) environment to
run xmms2d

- set up a dedicated user account with limited access, and run the
process as that user

- listen on localhost only (configure the socket as tcp://127.0.0.1:port
and not tcp://0.0.0.0:port) and expect network users to ssh to the
machine and run the client binary on the same machine, thereby denying
access to any user who can't log in to the box anyway





Information forwarded to debian-bugs-dist@lists.debian.org, Benjamin Drung <bdrung@debian.org>:
Bug#652914; Package xmms2-core. (Wed, 21 Dec 2011 22:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Svensson <dsvensson@gmail.com>:
Extra info received and forwarded to list. Copy sent to Benjamin Drung <bdrung@debian.org>. (Wed, 21 Dec 2011 22:21:03 GMT) Full text and rfc822 format available.

Message #10 received at submit@bugs.debian.org (full text, mbox):

From: Daniel Svensson <dsvensson@gmail.com>
To: Daniel Pocock <daniel@pocock.com.au>, 652914@bugs.debian.org
Cc: submit@bugs.debian.org
Subject: Re: Bug#652914: security concerns with xmms2d
Date: Wed, 21 Dec 2011 23:18:00 +0100
On Wed, Dec 21, 2011 at 8:55 PM, Daniel Pocock <daniel@pocock.com.au> wrote:
> Package: xmms2-core
> Version: 0.7DrNo+dfsg-2
> Severity: grave
>
> I've chosen the severity `grave' as it is suggested for issues that
> could "introduce a security hole allowing access to the accounts of
> users who use the package"
> http://www.debian.org/Bugs/Developer#severities
>
> Details:
>
> - in the default configuration, xmms2d is secured using UNIX domain
> sockets, this is reasonably secure
>
> - however, users may be tempted to enable TCP mode, which has no
> security at all

Maybe you could add an apt question if the user is a licensed computer driver?

http://en.wikipedia.org/wiki/European_Computer_Driving_Licence

-- 
Daniel Svensson




Information forwarded to debian-bugs-dist@lists.debian.org, Benjamin Drung <bdrung@debian.org>:
Bug#652914; Package xmms2-core. (Wed, 21 Dec 2011 22:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Svensson <dsvensson@gmail.com>:
Extra info received and forwarded to list. Copy sent to Benjamin Drung <bdrung@debian.org>. (Wed, 21 Dec 2011 22:21:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Benjamin Drung <bdrung@debian.org>:
Bug#652914; Package xmms2-core. (Wed, 21 Dec 2011 22:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Svensson <dsvensson@gmail.com>:
Extra info received and forwarded to list. Copy sent to Benjamin Drung <bdrung@debian.org>. (Wed, 21 Dec 2011 22:45:03 GMT) Full text and rfc822 format available.

Message #20 received at submit@bugs.debian.org (full text, mbox):

From: Daniel Svensson <dsvensson@gmail.com>
To: Daniel Pocock <daniel@pocock.com.au>, 652914@bugs.debian.org
Cc: submit@bugs.debian.org
Subject: Re: Bug#652914: security concerns with xmms2d
Date: Wed, 21 Dec 2011 23:43:31 +0100
On Wed, Dec 21, 2011 at 11:18 PM, Daniel Svensson <dsvensson@gmail.com> wrote:
> On Wed, Dec 21, 2011 at 8:55 PM, Daniel Pocock <daniel@pocock.com.au> wrote:
>> Package: xmms2-core
>> Version: 0.7DrNo+dfsg-2
>> Severity: grave
>>
>> I've chosen the severity `grave' as it is suggested for issues that
>> could "introduce a security hole allowing access to the accounts of
>> users who use the package"
>> http://www.debian.org/Bugs/Developer#severities
>>
>> Details:
>>
>> - in the default configuration, xmms2d is secured using UNIX domain
>> sockets, this is reasonably secure
>>
>> - however, users may be tempted to enable TCP mode, which has no
>> security at all
>
> Maybe you could add an apt question if the user is a licensed computer driver?
>
> http://en.wikipedia.org/wiki/European_Computer_Driving_Licence

A more serious reply... patches accepted for the man page. It would be
totally ok if you want to warn that if you open a socket that has no
authorization what so ever, any person can connect to it and do the
same thing as you can do.

-- 
Daniel Svensson




Information forwarded to debian-bugs-dist@lists.debian.org, Benjamin Drung <bdrung@debian.org>:
Bug#652914; Package xmms2-core. (Wed, 21 Dec 2011 22:45:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Svensson <dsvensson@gmail.com>:
Extra info received and forwarded to list. Copy sent to Benjamin Drung <bdrung@debian.org>. (Wed, 21 Dec 2011 22:45:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Benjamin Drung <bdrung@debian.org>:
Bug#652914; Package xmms2-core. (Thu, 22 Dec 2011 06:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Pocock <daniel@pocock.com.au>:
Extra info received and forwarded to list. Copy sent to Benjamin Drung <bdrung@debian.org>. (Thu, 22 Dec 2011 06:03:03 GMT) Full text and rfc822 format available.

Message #30 received at submit@bugs.debian.org (full text, mbox):

From: Daniel Pocock <daniel@pocock.com.au>
To: Daniel Svensson <dsvensson@gmail.com>
Cc: 652914@bugs.debian.org, submit@bugs.debian.org
Subject: Re: Bug#652914: security concerns with xmms2d
Date: Thu, 22 Dec 2011 07:01:01 +0100

On 21/12/11 23:43, Daniel Svensson wrote:
> On Wed, Dec 21, 2011 at 11:18 PM, Daniel Svensson <dsvensson@gmail.com> wrote:
>> On Wed, Dec 21, 2011 at 8:55 PM, Daniel Pocock <daniel@pocock.com.au> wrote:
>>> Package: xmms2-core
>>> Version: 0.7DrNo+dfsg-2
>>> Severity: grave
>>>
>>> I've chosen the severity `grave' as it is suggested for issues that
>>> could "introduce a security hole allowing access to the accounts of
>>> users who use the package"
>>> http://www.debian.org/Bugs/Developer#severities
>>>
>>> Details:
>>>
>>> - in the default configuration, xmms2d is secured using UNIX domain
>>> sockets, this is reasonably secure
>>>
>>> - however, users may be tempted to enable TCP mode, which has no
>>> security at all
>>
>> Maybe you could add an apt question if the user is a licensed computer driver?
>>
>> http://en.wikipedia.org/wiki/European_Computer_Driving_Licence
> 
> A more serious reply... patches accepted for the man page. It would be
> totally ok if you want to warn that if you open a socket that has no
> authorization what so ever, any person can connect to it and do the
> same thing as you can do.
> 

I'm sure it's obvious to most people that the socket allows them to
start and stop things in their playlist

However, it is not so obvious that the socket allows people to browse
the server filesystems - even some more advanced users may find that
surprising

It's also necessary to think about it in the context of the application:
if a debugger or other tool opens a port, you can expect the end user to
be fairly knowledgeable about the consequences.  For a media player
application, there is likely to be a much broader user base with varying
levels of knowledge.





Information forwarded to debian-bugs-dist@lists.debian.org, Benjamin Drung <bdrung@debian.org>:
Bug#652914; Package xmms2-core. (Thu, 22 Dec 2011 06:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Pocock <daniel@pocock.com.au>:
Extra info received and forwarded to list. Copy sent to Benjamin Drung <bdrung@debian.org>. (Thu, 22 Dec 2011 06:15:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Benjamin Drung <bdrung@debian.org>:
Bug#652914; Package xmms2-core. (Thu, 22 Dec 2011 21:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Svensson <dsvensson@gmail.com>:
Extra info received and forwarded to list. Copy sent to Benjamin Drung <bdrung@debian.org>. (Thu, 22 Dec 2011 21:00:03 GMT) Full text and rfc822 format available.

Message #40 received at submit@bugs.debian.org (full text, mbox):

From: Daniel Svensson <dsvensson@gmail.com>
To: Daniel Pocock <daniel@pocock.com.au>
Cc: 652914@bugs.debian.org, submit@bugs.debian.org
Subject: Re: Bug#652914: security concerns with xmms2d
Date: Thu, 22 Dec 2011 21:56:07 +0100
On Thu, Dec 22, 2011 at 7:01 AM, Daniel Pocock <daniel@pocock.com.au> wrote:
> However, it is not so obvious that the socket allows people to browse
> the server filesystems - even some more advanced users may find that
> surprising

I agree, if it wasn't for the fact that this is exactly how it works
if you use XMMS2 over a unix socket. But if you would like to
contribute a paragraph to the man page, patches are accepted.

-- 
Daniel Svensson




Information forwarded to debian-bugs-dist@lists.debian.org, Benjamin Drung <bdrung@debian.org>:
Bug#652914; Package xmms2-core. (Thu, 22 Dec 2011 21:00:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Svensson <dsvensson@gmail.com>:
Extra info received and forwarded to list. Copy sent to Benjamin Drung <bdrung@debian.org>. (Thu, 22 Dec 2011 21:00:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Benjamin Drung <bdrung@debian.org>:
Bug#652914; Package xmms2-core. (Sat, 03 Mar 2012 21:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Benjamin Drung <bdrung@debian.org>. (Sat, 03 Mar 2012 21:33:05 GMT) Full text and rfc822 format available.

Message #50 received at 652914@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: Daniel Pocock <daniel@pocock.com.au>, 652914@bugs.debian.org
Subject: Re: Bug#652914: security concerns with xmms2d
Date: Sat, 3 Mar 2012 21:30:25 +0000
severity 652914 normal
retitle 652914 should document how to not run xmms2d insecurely
thanks

> - in the default configuration, xmms2d is secured using UNIX domain
> sockets, this is reasonably secure
> 
> - however, users may be tempted to enable TCP mode, which has no
> security at all

The existence of inadvisable configurations is not, in itself, a
release-critical bug (confirmed by release team members on IRC).
Downgrading this to a non-RC severity.

> - the manual (easily found by Google) provides easy instructions to
> enable TCP mode, but no warnings about security consequences
> http://xmms2.org/wiki/Using_the_application

Happily, this appears to be a wiki, so interested users can correct this.

> - put warnings in the online documentation and add a readme file with a
> security warning

Patches welcome, but this is not RC.

Regards,
    smcv
    at the Cambridge BSP




Severity set to 'normal' from 'grave' Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Sat, 03 Mar 2012 21:33:11 GMT) Full text and rfc822 format available.

Changed Bug title to 'should document how to not run xmms2d insecurely' from 'security concerns with xmms2d' Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Sat, 03 Mar 2012 21:33:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 20:24:50 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.