You are here: Home » Topic » How to make the web-based Configuration page *configurable*?

How to make the web-based Configuration page *configurable*?

FireFly Media Server (formerly mt-daapd) Firefly Media Server Forums Firefly Media Server Setup Issues How to make the web-based Configuration page *configurable*?

This topic contains 1 reply, has 2 voices, and was last updated by  rpedde 10 years, 10 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #931

    davy_gravy
    Participant

    When I first installed 1450 or 1463 (in Debian Sarge/Freelink on a Linkstation HG), I noticed that the web Config page (which looks great) wasn’t configurable – ie. I didn’t have rights/perms to edit it (read-only).

    So I did

    chmod 777 mt-daapd.conf

    and now it works great… Anyone out there know a better setting/more secure way than using 777?

    I don’t really suspect that deviant subversive lemmings are going to commandeer my Firefly server in order to achieve world-wide rodent domination (or any other weirding hacking/takeover/conspiracy), but I really do realize that there must be a more secure way to do this – and I
    don’t know what it is…

    I did a seach of the forum for “chmod”, and read a post on this same topic… a reader replied to use

    chmod a+rwx /etc/mt-dpaad.conf

    Is this preferable to the above 777 method? They look like they should be roughly equivalent 777=everyone can read, write and execute vs. a+rwx = add read, write & execute perms for all users.

    Does this introduce a security flaw? Acceptable? Thanks in advance.

    #8146

    rpedde
    Participant

    @davy_gravy wrote:

    and now it works great… Anyone out there know a better setting/more secure way than using 777?

    Probably the “right” way to do it would be to make a mt-daapd user, and chown the file to that user, and set permissions to 600. Then use stunnel to set up a ssl wrapper around the web admin.

    Slightly less secure would be to keep running it as “guest” or “nobody” or whoever it’s running as now (so long as it’s not running as a privileged user or root), and set the config file to 600, running with stunnel. (if someone compromised another application running as nobody, the could read the config file, get the password, and change your server config).

    Next would be not bothering to run it under a stunnel under the theory that either nobody is sniffing your traffic, or you don’t care if some crazy rogue changes your music server settings.

    So there you go. I basically use the last setting. Chown the config file to nobody and chmod it to 600.

    World readable is a little crazy, imho, but if it’s not a multi-user system, it probably doesn’t much matter.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.