September 27, 20169 yr Hey, just wanted to report this - major - issue with unraid. If the unraid OS Drive gets disonnected, Unraid lost his config files. There may be x-reasons to make the drive fail. BUT: The security issue is on the default behaviour. Every single user share is made public and accessible if this happens. I can imagine something like: Bad person goes to sever. pull out the USB drive. Grant full access to all files. Win. No point of making a user-access control in unraid if something like this can happen. Just posting this here because it makes me sad that noone is reacting to this. I thought about using an unraid server in my business, but wtf .. Origin Thread of mine: https://lime-technology.com/forum/index.php?topic=52250.0
September 27, 20169 yr I agree that this is a potential security flaw. However if anyone has the access that would allow them to pull out the USB drive they would have easy access to all the data anyway. The only protection against such an attack would be to have all the data on the disks encrypted.
September 27, 20169 yr Author First, like our HP Server case in Office, there is a lock on the case. But the Stick would still be outside -> Simplier access. Second, way easier to detect the security breach if someone open the case and remove a harddrive -> or just simple pull/push stick and copy files from server all day long. Third, unexpected behaviour. Simply a dead stick and hurray, users have access to confidential data on friday ... It really boggles me why noone is reacting to this OR peoply trying to sugartalk this problem.
September 27, 20169 yr If the default were no access, then physically removing flash and editing share cfgs could overcome this anyway. There is no substitute for physical security.
September 27, 20169 yr All shares should still not be open if the flash crash/or if someone remove it.
September 27, 20169 yr First, like our HP Server case in Office, there is a lock on the case. But the Stick would still be outside -> Simplier access. Second, way easier to detect the security breach if someone open the case and remove a harddrive -> or just simple pull/push stick and copy files from server all day long. Third, unexpected behaviour. Simply a dead stick and hurray, users have access to confidential data on friday ... It really boggles me why noone is reacting to this OR peoply trying to sugartalk this problem. Thank you for the report. That is something I can say we never tested: "How does the server behave if we yank the USB boot flash?" Pure oversight; we'll look into that. In meantime you can mitigate the risk with a < $5 part: https://www.amazon.com/StarTech-Motherboard-4-Pin-Header-USBMBADAPT/dp/B000IV6S9S
Archived
This topic is now archived and is closed to further replies.