PLEX permissions - access to EVERY QNAP FILE?! REALLY?
-
- Starting out
- Posts: 19
- Joined: Sat Nov 04, 2017 3:44 pm
PLEX permissions - access to EVERY QNAP FILE?! REALLY?
Dear All,
I've started the official PLEX APP from the desktop shortcut. New tab opened and I've been asked to configure the media library. While trying to find the actual Multimedia folder on my QNAP, I discovered that it is possible to access every users' file from the PLEX level, also the homes directory, e.g. under /share/CE_CACHEDEV1_DATA/homes/ !!!
Something is definetely not right here! How is this possible that such an ordinary media app overrides previously set user rights?!?!
Best regards,
I've started the official PLEX APP from the desktop shortcut. New tab opened and I've been asked to configure the media library. While trying to find the actual Multimedia folder on my QNAP, I discovered that it is possible to access every users' file from the PLEX level, also the homes directory, e.g. under /share/CE_CACHEDEV1_DATA/homes/ !!!
Something is definetely not right here! How is this possible that such an ordinary media app overrides previously set user rights?!?!
Best regards,
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: PLEX permissions - access to EVERY QNAP FILE?! REALLY?
the qnap apps run with admin permissions ... that is sadly the way it is ..
you could aleays run plex in a container and then only granting access to certain folders(shares)
you could aleays run plex in a container and then only granting access to certain folders(shares)
-
- Starting out
- Posts: 19
- Joined: Sat Nov 04, 2017 3:44 pm
Re: PLEX permissions - access to EVERY QNAP FILE?! REALLY?
I guess there are not enough "warnings" in the help/manuals and one may not know that his private documents in home folder are visible to anyone using any application or even applications inside HD Station!!!dolbyman wrote:the qnap apps run with admin permissions ... that is sadly the way it is ..
you could aleays run plex in a container and then only granting access to certain folders(shares)
How to limit these privileges for apps? Containers seem to be way too complicated to configure (to have a functional video player connected directly to TV via HDMI).
Regards,
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: PLEX permissions - access to EVERY QNAP FILE?! REALLY?
complain to qnap that all hdstation apps run with admin permissions
you can always use an external player ...
you can always use an external player ...
- moody_blue
- Easy as a breeze
- Posts: 266
- Joined: Tue Jan 10, 2017 9:23 am
Re: PLEX permissions - access to EVERY QNAP FILE?! REALLY?
Plex's admin user is the only one allowed to create libraries when the server is in claimed status.
QNAP TS-253A 8G QTS 5.0.1.2145
Plex Media Server 1.29.0.6209
OpenHAB 3.4.0.M2
Unifi 7.2.92
Apache80 2454.8230
GLPI 10.0.3
Plex Media Server 1.29.0.6209
OpenHAB 3.4.0.M2
Unifi 7.2.92
Apache80 2454.8230
GLPI 10.0.3
-
- Starting out
- Posts: 19
- Joined: Sat Nov 04, 2017 3:44 pm
Re: PLEX permissions - access to EVERY QNAP FILE?! REALLY?
I'm not sure if only PLEX...moody_blue wrote:Plex's admin user is the only one allowed to create libraries when the server is in claimed status.
The same can be done from the Chrome browser or even the Clementine player, both inside the HD STATION.
Security level = ZERO!
Ticket has been already issued.
Best regards,
- schumaku
- Guru
- Posts: 43578
- Joined: Mon Jan 21, 2008 4:41 pm
- Location: Kloten (Zurich), Switzerland -- Skype: schumaku
- Contact:
Re: PLEX permissions - access to EVERY QNAP FILE?! REALLY?
...as it was already mentioned...wampajer wrote:I'm not sure if only PLEX...
The same can be done from the Chrome browser or even the Clementine player, both inside the HD STATION.
...all Apps on the HD Station.dolbyman wrote:the qnap apps run with admin permissions ... that is sadly the way it is ..
QNAP's argumentation is that if you have physical access to the device.wampajer wrote:Security level = ZERO!
-
- Starting out
- Posts: 19
- Joined: Sat Nov 04, 2017 3:44 pm
Re: PLEX permissions - access to EVERY QNAP FILE?! REALLY?
That's insane! There are many devices which are still properly protected even if you have physical access to them (e.g. encrypted laptop).shumaku wrote: QNAP's argumentation is that if you have physical access to the device.
What if QNAP gets stolen? Right now it can be hacked by HDMI and TV! What's the point of encryption, passwords, etc.?!
Regards,
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: PLEX permissions - access to EVERY QNAP FILE?! REALLY?
well if you encrypt it without storing the password on the NAS, you would have to reenter the password after power loss, so no access to your files even with HDMI access
-
- Starting out
- Posts: 19
- Joined: Sat Nov 04, 2017 3:44 pm
Re: PLEX permissions - access to EVERY QNAP FILE?! REALLY?
Oh yeah, so that's the main purpose of HDMI on QNAP! Hacking!dolbyman wrote:well if you encrypt it without storing the password on the NAS, you would have to reenter the password after power loss, so no access to your files even with HDMI access
It was probably designed for watching videos, but this does not work as expected (screen tearing, Vsync problem - reported, but still unsolved!).
Anyone would like to purchase my mint TS253A-8G, dated 2017.10?
I think I've had enough during last few months...
Regards,
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: PLEX permissions - access to EVERY QNAP FILE?! REALLY?
huh?
I just said if you encrypt your drives and someone steals it they CANNOT access your files.
Alternatively, ditch the NAS as a player (use it as a NAS) and leverage an external player instead.. as you just said .. qnap is not a great playback device anyways (screen tearing, wonky hardware decoding,etc)
I just said if you encrypt your drives and someone steals it they CANNOT access your files.
Alternatively, ditch the NAS as a player (use it as a NAS) and leverage an external player instead.. as you just said .. qnap is not a great playback device anyways (screen tearing, wonky hardware decoding,etc)
-
- Starting out
- Posts: 19
- Joined: Sat Nov 04, 2017 3:44 pm
Re: PLEX permissions - access to EVERY QNAP FILE?! QNAP does not feel obliged to fix it!
Dear All,
I just got a reply from QNAP helpdesk that this is a feature, not a bug, and that they are not going to fix this serious security flaw at all!!!
That's truly ubelievable an unprecedented! It's a serious discredit of the QNAP manufacturer who does not feel obliged to provide the required minimum security level.
As a consequence, termination letter was issued to the seller and I'm returning my TS-253A 8G.
I hope that the reseller will take care of suitable anti-advertising process!
Best regards,
I just got a reply from QNAP helpdesk that this is a feature, not a bug, and that they are not going to fix this serious security flaw at all!!!
That's truly ubelievable an unprecedented! It's a serious discredit of the QNAP manufacturer who does not feel obliged to provide the required minimum security level.
As a consequence, termination letter was issued to the seller and I'm returning my TS-253A 8G.
I hope that the reseller will take care of suitable anti-advertising process!
Best regards,
-
- New here
- Posts: 3
- Joined: Wed Mar 23, 2016 1:37 am
Re: PLEX permissions - access to EVERY QNAP FILE?! REALLY?
Any update on this topic?
Synology users already have a fix for this, Plex creates a Plex user which you can assign file privileges.
/P
Synology users already have a fix for this, Plex creates a Plex user which you can assign file privileges.
/P
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: PLEX permissions - access to EVERY QNAP FILE?! REALLY?
Run Plex in a container or VM...fixed
-
- Starting out
- Posts: 19
- Joined: Sat Nov 04, 2017 3:44 pm
Re: PLEX permissions - access to EVERY QNAP FILE?! REALLY?
In my case, where NAS is connected directly to TV via HDMI cable and KODI is running on HDStation - the issue is still clearly there, even with the newest firmware and HDstation upgraded to the latest version!
You can also access every file even more easily if you have Chrome browser installed under HDStation!
It's been two years already! Wake up QNAP TEAM!!!
I'm still not able to use NAS for it's primary purpose - file storage as is does not provide any security level. It's an open barn!!!
You can also access every file even more easily if you have Chrome browser installed under HDStation!
It's been two years already! Wake up QNAP TEAM!!!
I'm still not able to use NAS for it's primary purpose - file storage as is does not provide any security level. It's an open barn!!!