PLEX permissions - access to EVERY QNAP FILE?! REALLY?

[wampajer]

Dear All,

I've started the official PLEX APP from the desktop shortcut. New tab opened and I've been asked to configure the media library. While trying to find the actual Multimedia folder on my QNAP, I discovered that it is possible to access every users' file from the PLEX level, also the homes directory, e.g. under /share/CE_CACHEDEV1_DATA/homes/ !!!

Something is definetely not right here! How is this possible that such an ordinary media app overrides previously set user rights?!?!


Best regards,

[dolbyman]

the qnap apps run with admin permissions ... that is sadly the way it is ..

you could aleays run plex in a container and then only granting access to certain folders(shares)

[wampajer]

the qnap apps run with admin permissions ... that is sadly the way it is ..

you could aleays run plex in a container and then only granting access to certain folders(shares)

I guess there are not enough "warnings" in the help/manuals and one may not know that his private documents in home folder are visible to anyone using any application or even applications inside HD Station!!!
How to limit these privileges for apps? Containers seem to be way too complicated to configure (to have a functional video player connected directly to TV via HDMI).

Regards,

[dolbyman]

complain to qnap that all hdstation apps run with admin permissions

you can always use an external player ...

[moody_blue]

Plex's admin user is the only one allowed to create libraries when the server is in claimed status.

[wampajer]

Plex's admin user is the only one allowed to create libraries when the server is in claimed status.

I'm not sure if only PLEX...
The same can be done from the Chrome browser or even the Clementine player, both inside the HD STATION.

Security level = ZERO!

Ticket has been already issued.


Best regards,

[schumaku]

I'm not sure if only PLEX...
The same can be done from the Chrome browser or even the Clementine player, both inside the HD STATION.

...as it was already mentioned...

the qnap apps run with admin permissions ... that is sadly the way it is ..

...all Apps on the HD Station.

Security level = ZERO!

QNAP's argumentation is that if you have physical access to the device.

[wampajer]

QNAP's argumentation is that if you have physical access to the device.

That's insane! There are many devices which are still properly protected even if you have physical access to them (e.g. encrypted laptop).
What if QNAP gets stolen? Right now it can be hacked by HDMI and TV! What's the point of encryption, passwords, etc.?!

Regards,

[dolbyman]

well if you encrypt it without storing the password on the NAS, you would have to reenter the password after power loss, so no access to your files even with HDMI access

[wampajer]

well if you encrypt it without storing the password on the NAS, you would have to reenter the password after power loss, so no access to your files even with HDMI access

Oh yeah, so that's the main purpose of HDMI on QNAP! Hacking!
It was probably designed for watching videos, but this does not work as expected (screen tearing, Vsync problem - reported, but still unsolved!).
Anyone would like to purchase my mint TS253A-8G, dated 2017.10?
I think I've had enough during last few months...


Regards,

[dolbyman]

huh?

I just said if you encrypt your drives and someone steals it they CANNOT access your files.

Alternatively, ditch the NAS as a player (use it as a NAS) and leverage an external player instead.. as you just said .. qnap is not a great playback device anyways (screen tearing, wonky hardware decoding,etc)

[wampajer]

Dear All,

I just got a reply from QNAP helpdesk that this is a feature, not a bug, and that they are not going to fix this serious security flaw at all!!!

That's truly ubelievable an unprecedented! It's a serious discredit of the QNAP manufacturer who does not feel obliged to provide the required minimum security level.
As a consequence, termination letter was issued to the seller and I'm returning my TS-253A 8G.
I hope that the reseller will take care of suitable anti-advertising process!


Best regards,

[paul_ha]

Any update on this topic?

Synology users already have a fix for this, Plex creates a Plex user which you can assign file privileges.

/P

[dolbyman]

Run Plex in a container or VM...fixed

[wampajer]

In my case, where NAS is connected directly to TV via HDMI cable and KODI is running on HDStation - the issue is still clearly there, even with the newest firmware and HDstation upgraded to the latest version!
You can also access every file even more easily if you have Chrome browser installed under HDStation!

It's been two years already! Wake up QNAP TEAM!!!
I'm still not able to use NAS for it's primary purpose - file storage as is does not provide any security level. It's an open barn!!!