Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
tonido seems to passby all security
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
reup
Guru
Guru


Joined: 13 May 2005
Posts: 419
Location: Nederland

PostPosted: Wed Oct 19, 2011 9:39 pm    Post subject: tonido seems to passby all security Reply with quote

hello all,

I found something very disturbing today

I installed tonido from http://www.tonido.com downloaded the package for debian, used alien to convert it to tar-gz and copied the files to /usr as needed

I then started the server

Code:
sh /usr/local/tonido/tonido.sh start


to access my new service, I used http://localhost:10001 and created a user and password
then I was able to browse, download, listen music from my entire hard drive. I mean, all of it, from /root, /sbin, /home/anyuser

it seems that tonido just bypass all rights, all secure access, just like that

I have removed the system already from my gentoo, I dont need this but I am thinking there is a major risk here, something is wrong if a service can have and give all access to any users

I can see it on my remote webserser (gentoo as well on OVH) anyone log to the service, create an account and voila, total access

am I missing something ? has anyone some experience with tonido that could put some light on this ?

reup
_________________
reup

"Don't wiggle the tail of the frog in the oil of the frying peanuts"
Back to top
View user's profile Send private message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland

PostPosted: Thu Oct 20, 2011 12:57 am    Post subject: Reply with quote

without really knowing the program...

which users was running tonido on you computer? root?
if so, I am not surprised, that you were able to access all data.

just my .02$
V.
_________________
read the portage output!
If my answer is too concise, ask for an explanation.
Back to top
View user's profile Send private message
reup
Guru
Guru


Joined: 13 May 2005
Posts: 419
Location: Nederland

PostPosted: Thu Oct 20, 2011 7:40 am    Post subject: Reply with quote

I see,

I was running tonido as root

does it means that if I have few users on a headless server, they will have to run tonido each of them ?


now that I am reassured, I am going to explore a bit more before asking more question.

thanks for the speed of the reply

reup
_________________
reup

"Don't wiggle the tail of the frog in the oil of the frying peanuts"
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum