Stop letting people browse my porn

This is more of a security hole notification and a security feature request.

1. Make Sonarr secure by default. Right now the default setting is to leave it open to the world. I haven’t added any specific forwarding rules, so I’m guessing it negotiated with UPnP on its own to open the port it uses to the outside world. Just enable security and pick a random please, I can think of half a dozen ways I can use Sonarr to remotely execute code using the default installation. I don’t even have to add my Big Booty Nurses to Sonarr for people to find it. I’m a root directory kind of guy because I want it accessible, but not THAT accessible.

2. Add a restricted user account, promote current user account to admin. I want to let my friends add series for download and see the calendar, since they all watch stuff off of my plex server. What I don’t want is to give them the ability to walk my hard drive and browse my files, so restricting them from adding folders would be good.

In general it feels like Sonarr needs a security review as well as some simple features to make it even more useful.

Not UPnP, but it will open the port in the Windows Firewall if run by an admin, it won’t open a port in router/hardware firewall.

Random password? How would we communicate that to people? Would it be forms or basic authentication?

We have already been looking at ways to secure the default installation, but not making it accessible to outside system really hampers the ability to set it up on a system you don’t have a web browser on (VPS, NAS, etc).

This is already on Github, though we haven’t decided if/how we will do it:

Would love to hear these, please PM me, for obvious reasons.

Random password? How would we communicate that to people? Would it be forms or basic authentication?

What’s the effective difference between basic or form? To a web browsing user it’s basically all the same - are there any other use cases?

How have other products solved this? Plex isn’t externally accessible by default and requires you to set a password when you first access it. We could do the same - no first-time-setup-complete flag, show the admin configuration. It might be this that stops Plex from being externally accessible by default, or it might be something else. Disregard my comment about UPnP, although I’m still surprised that it worked.

This is already on Github, though we haven’t decided if/how we will do it:

Super keen on it as Sonarr lends itself incredibly well to share media repositories. I could have just used showrss.info and utorrent, but this lets other people add what they want to watch as well, as they think of it. Kudos on having a responsive UI by the way.

Would love to hear these, please PM me, for obvious reasons.

Sure thing.

How the password request is presented to the user is a big part of it, but technically Basic auth lends it self to a system passing credentials in programatically (useful in some cases).

Plex has a similar issue and only allows access from the same LAN by default, which is also not possible when you’re running on a VPS, there are technical ways around this, but that definitely increases the knowledge required to gain access the first time on a VPS. I could make the argument that if you can setup a VPS you can figure that out, but I don’t think it needs to be that complex.

A setup flow is definitely something we want to add, which would take care of this problem (if the user bothered to complete it).

Don’t forget this one!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.