Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

SMB Shares - Full Access after failure

Featured Replies

Hey,

just wanted to report this - major - issue with unraid.

If the unraid OS Drive gets disonnected, Unraid lost his config files. There may be x-reasons to make the drive fail.

BUT: The security issue is on the default behaviour.

 

Every single user share is made public and accessible if this happens.

 

I can imagine something like: Bad person goes to sever. pull out the USB drive. Grant full access to all files. Win.

No point of making a user-access control in unraid if something like this can happen.

 

Just posting this here because it makes me sad that noone is reacting to this. I thought about using an unraid server in my business, but wtf ..

 

Origin Thread of mine: https://lime-technology.com/forum/index.php?topic=52250.0

I agree that this is a potential security flaw.    However if anyone has the access that would allow them to pull out the USB drive they would have easy access to all the data anyway.    The only protection against such an attack would be to have all the data on the disks encrypted.

  • Author

First, like our HP Server case in Office, there is a lock on the case. But the Stick would still be outside -> Simplier access.

Second, way easier to detect the security breach if someone open the  case and remove a harddrive -> or just simple pull/push stick and copy files from server all day long.

Third, unexpected behaviour. Simply a dead stick and hurray, users have access to confidential data on friday ...

 

It really boggles me why noone is reacting to this OR peoply trying to sugartalk this problem.

If the default were no access, then physically removing flash and editing share cfgs could overcome this anyway. There is no substitute for physical security.

 

First, like our HP Server case in Office, there is a lock on the case. But the Stick would still be outside -> Simplier access.

Second, way easier to detect the security breach if someone open the  case and remove a harddrive -> or just simple pull/push stick and copy files from server all day long.

Third, unexpected behaviour. Simply a dead stick and hurray, users have access to confidential data on friday ...

 

It really boggles me why noone is reacting to this OR peoply trying to sugartalk this problem.

 

Thank you for the report.  That is something I can say we never tested: "How does the server behave if we yank the USB boot flash?"  Pure oversight; we'll look into that.  In meantime you can mitigate the risk with a < $5 part:

https://www.amazon.com/StarTech-Motherboard-4-Pin-Header-USBMBADAPT/dp/B000IV6S9S

 

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.