Jump to content
Eadword

Better Defaults

16 posts in this topic Last Reply

Recommended Posts

Posted (edited)

While the current system is great for the average home network as a media server storing non-critical and non-confidential information on a private network, with a few changes, it could be ready for so much more...

 

Where I'm coming from: I'm new to unraid, and I am a long time Linux-user with widows as a side OS I avoid as much as possible. Currently I've been setting up a VFIO system, and because I won't just be using it to store media but to actually be my daily driver, I have certain security concerns with the current default configurations.

 

The following is a list of changes I've compiled, largely from http://kmwoley.com/blog/securing-a-new-unraid-installation/ and somewhat ordered by importance:

- SMB 1 disabled by default

- FTP and Tellnet disabled by default

- HTTPS enabled with a self-signed cert out of the gate (love the cert authority setup though!)

- make it more clear how to encrypt new drives (can't choose to encrypt when adding the device, has to be changed in the default filesystem setting)

- new shares not exported by default, and when exportrd, Private by default

- Don't export the USB boot media!!! (At least not by default and add an are you sure if you try to enable it)

- firewall such as UFW installed and enabled by default with only TCP port 80 and 443 set to LIMIT and whatever SMB uses opened. GUFW could be pulled from for the GUI. And providing quick check boxes for common ports would make it easy, possiblity auto enabling when you enable a core service.

- Docker Isolation through Linux namespaces / subuids

- allow tagging more shares for direct Linux VM mounting to prevent the need to pass through /mnt/user

- better multiple-user support, it's a server, right? So people other than root should be able to ssh in and access the UI; ideally root login would be disabled with use of a wheel group instead

- don't use 777 permissions by default, ideally users + groups, but at a minimum there is no reason for most things to be read, write, and execute by default!

- support for openvpn

- support for multiple different encryption keys


And add other lurking issues to this. Even if you're not exposing a system to the public internet, a lot of these things can still cause problems if the system is up 24/7. There is no such thing as a "friendly environment" outside air-gapped systems, and my daily driver will definitely not be air gapped.

 

Anyway, if you've made it this far and feel like this is a list of complaints, I'm sorry. I do like unraid and I already feel excited for where it's going.

Edited by Eadword
Appended contributed ideas

Share this post


Link to post

I suggest you put this under feature requests, there it will stay more visible for any future development.

Share this post


Link to post
On 5/17/2019 at 1:42 AM, Eadword said:

[snip]


And add other lurking issues to this. Even if you're not exposing a system to the public internet, a lot of these things can still cause problems if the system is up 24/7. There is no such thing as a "friendly environment" outside air-gapped systems, and my daily driver will definitely not be air gapped.

 

Anyway, if you've made it this far and feel like this is a list of complaints, I'm sorry. I do like unraid and I already feel excited for where it's going.

@EadwordI have a thread opened for Docker Isolation with no replies, but you should add Linux namespaces / subuids for Docker to your list, as well as not using root and 777 permissions everywhere in the OS would be some good changes. It's been this way for a long time, I doubt it will change because unraid has always been a "don't expose to outside world" kind of distro for a long time.

Share this post


Link to post

A bump does nothing.

 

What needs to be done is what BonieNL already said, post this in Feature Requests.

Share this post


Link to post
1 minute ago, BRiT said:

A bump does nothing.

 

What needs to be done is what BonieNL already said, post this in Feature Requests.

And probably as multiple requests as one giant one is unlikely to gain much traction.     Instead it needs to be a number of smaller requests that can be individually prioritised (if accepted) and gradually picked of.

Share this post


Link to post
On 5/20/2019 at 5:02 PM, xanvincent said:

I doubt it will change

You should have more trust in Limetech :)

Security is an important aspect and Limetech is constantly looking at improvements.

Share this post


Link to post
On 8/20/2019 at 7:35 PM, bonienl said:

You should have more trust in Limetech :)

Security is an important aspect and Limetech is constantly looking at improvements.

Any chance there are some updates? The lack of docker isolation is actually starting to worry me as I do have a few external services I host on unRaid.

Share this post


Link to post
5 minutes ago, Ryonez said:

The lack of docker isolation

Please explain

Share this post


Link to post
21 minutes ago, bonienl said:

Please explain

The lack of `Docker Isolation through Linux namespaces / subuids`.

I've been given the example over here that if someone breaks out of a container when they are root, they are root on the host as well.

Edited by Ryonez
Added link

Share this post


Link to post
1 minute ago, bonienl said:

Any link to that example ?

Yup, I linked it with a edit shortly after. Sorry, I didn't think when I posted it to add it.

Share this post


Link to post

Ok, but is there somewhere a "proof of concept" to confirm the claim?

Share this post


Link to post

I don't know. I'm a little reliant on others knowledge here as I'm by no means an expert and what I do know is rather patchworked.

Edited by Ryonez

Share this post


Link to post

It shouldn't be possible to "break out" of a container and as far as I know this isn't possible.

Otherwise it will be a security vulnerability of Docker itself.

 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.