Unraid v6.rc3 trial: root password not always working

[gerard6110]

Using a shortcut for the Dashboard, the login screen is skipped and from there I can to any page I want.

Using a shortcut to any other page directly; main, shares, useres, settings, plugins, docker, tools, requires the login.

And thus basically a serious security flaw.

[JonathanM]

Unraid is not meant to be exposed to the internet. This attitude may be changing slowly, but right now assume you will be hacked if you leave ports open.

 

I suggest that the proper place to post this would be the V6 defects area, as you have currently put it in the V5 general support forum. Perhaps a moderator would be kind enough to move it there.

 

Security in general is a sore spot for many in the community.

[ljm42]

Using a shortcut for the Dashboard, the login screen is skipped and from there I can to any page I want.

Using a shortcut to any other page directly; main, shares, useres, settings, plugins, docker, tools, requires the login.

And thus basically a serious security flaw.

 

If this is reproducible it would be a very serious bug.  The good news is I opened a new browser and went directly here:

  http://[my ip]/Dashboard

and was prompted to login as expected.  I also created a shortcut, fully exited Chrome (by right-clicking the icon in the toolbar and choosing Exit), then clicked the shortcut and was prompted to login.

 

I suspect that your browser was already logged in and you didn't realize it.  I'd recommend rebooting your client to be 100% sure you have logged out, and then try clicking the shortcut again.  It should prompt you to login.

 

If not, you'll want to provide details such as:

* what OS your client is running

* what browser you are using

* step-by-step instructions on how you created the shortcut

[Frank1940]

Using a shortcut for the Dashboard, the login screen is skipped and from there I can to any page I want.

Using a shortcut to any other page directly; main, shares, useres, settings, plugins, docker, tools, requires the login.

And thus basically a serious security flaw.

 

I am using Firefox and, if I have previously logged into the server, the system will allow reconnection to the server even if I have closed all the tabs connected to the server.  If I close down Firefox, then I will have to log back in. 

 

As near as I can tell, it is the browser that logs into the server-- Not the tab in the browser!  So if you want to prevent access, you will have to actually close the browser down. 

 

Now I actually consider this a benefit as it allows me quick access to the server without having to keep a tab open.  Since I have long realized what is going on and how to require a re-login, I do not really consider it a security issue. 

[bonienl]

Using a shortcut for the Dashboard, the login screen is skipped and from there I can to any page I want.

Using a shortcut to any other page directly; main, shares, useres, settings, plugins, docker, tools, requires the login.

And thus basically a serious security flaw.

 

Since you do not really logout of the GUI, your browser will remember the state of the connection. This means that as long as you do not close your browser there is no subsequent login required.

 

Once your browser is closed and re-opened then a new login is required.

 

And as a general advice: never expose your GUI to the outside world, keep it internal to your network!

 

[gerard6110]

Please mark this one SOLVED (at least for me).

 

Although the Windows Task Manager did not show a running browser (Internet Explorer), going into processes, showed iexplorer running. Stopped it and now the login screen pops up when I want to enter the Dashboard or any of the other pages directly; good.

 

Still, I wonder why - with an iexplorer process running in the background - the login screen did not show up with the Dashboard, but did show up going directly to any of the other pages?