• Saik0@lemmy.saik0.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    2 months ago

    Leaving this for people to realize that there’s a literal chapter’s worth of book of security issues that haven’t been fixed and seems to keep getting the can kicked down the road… for over 4 years now.

    https://github.com/jellyfin/jellyfin/issues/5415

    I love Jellyfin… people need to implement it sensibly knowing the potential risks.

    Edit: Ah yes! I MUST be a shill for saying “Implement it sensibly”.

    Here, let me “de-shill” myself.

    You have several options to make Jellyfin serviceable to users outside of your literal LAN network.

    1. setup a VPN. Pray you don’t have a user on a device that doesn’t have a VPN app that you can work with.
    2. setup whitelisting on your server. Pray that IP addresses don’t change.
    3. setup fail2ban or crowdsec. Pray that you users don’t piss off either by doing user things and getting locked out.

    If anything above fails… you’re likely on the hook for support. Hope you plan for that!

    1. Obfuscate your paths (change /movies/title (year)/title.ext to something like /9ZHBrvNH4dKQDYFa2parH32qqSFpjsWTataVkjy4NqPxpVktT55PkEee5YSVRvUQ/movies/title (year)/title.ext). MD5 is now much harder to generate/guess… pray that there isn’t some other vulnerability. Gotta go back and reconfigure and organize your shit. Oh and make sure that your docker mounts aren’t crushing the path!

    Am I still a Plex shill? BTW I run Jellyfin AND Plex. Literally side by side. Different uses for different cases because Jellyfin just can’t compete with Plex for sharing with dumb-ass relatives.

    • DigDoug@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      Imagine downvoting “Be careful what you expose to the internet”. I thought I’d got away from Reddit.

      • Appoxo@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        0
        arrow-down
        1
        ·
        edit-2
        2 months ago

        The core message is (to me) fine.
        What I kind of dislike is the delivery.

        Btw: Can someone tell me why the path-guessing is so dangerous?
        I don’t care if someone can guess the path for the.rise.of.the.linux.ISO.720p.DD.H264.mp4 and wants to download it.
        Not like any damage or (interactive) intrusion was made into my network

        • Saik0@lemmy.saik0.com
          link
          fedilink
          English
          arrow-up
          0
          ·
          edit-2
          2 months ago

          Btw: Can someone tell me why he path-guessing is so dangerous?

          Cause organizations like Sony have already done things like installed rootkits on people’s computer. Now imagine they realize this is a flaw in some media setups the their legal departments start actioning on it. (generate a rainbow table of common names for files, and common paths used in linux/docker containers… running 10000 http requests on a server over a few minutes is child’s play)

          All it takes it one thing to parse on a list that never had a physical release and now your whole server will be subject to discovery at the court case.

          If you have literally no illegal content on your server, no problem… other than that you’ll be on the hook to provide proof of rights to have the content… and possibly at worst rights to distribute (they accessed it without authentication, so literally anyone else could have too).

          Edit: Oh but hold on! I hear you say that it would be illegal for them to scan your computer like that…

          Except it isn’t. There’s no law that says you can’t try to navigate to a URL. There are laws that say that you can’t bypass attempts to authenticate/protect content… but remember the endpoint isn’t behind authentication.

          • Appoxo@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            0
            ·
            edit-2
            2 months ago

            Except it isn’t. There’s no law that says you can’t try to navigate to a URL. There are laws that say that you can’t bypass attempts to authenticate/protect content… but remember the endpoint isn’t behind authentication.

            Assuming I am from the US?
            Because if so, it doesn’t apply

            But I appreciate your time for the explanation.

    • oshu@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      If your use case is to have a nice media sever at home and while traveling (via tailscale or similar) without exposing your private data, Jellyfin is great.

      If your use case is running a pirate tv service for other people, then you probably want something else.

      • Saik0@lemmy.saik0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        If you’re support ANYONE other than yourself who isn’t technical, it’s a hurdle. And likely a significant one.

        I would not be able to educate my wife properly on the times when she would need to enable wireguard on her phone to use it properly (and when to disable it for other scenarios).

        This has nothing to do with running a pirate service.

        • oshu@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          2 months ago

          My wife has no problem starting the tailscale app and then starting the jelkyfin app. Its really that simple.

          She also uses the tailscale exit node I run whenever she is on a public wifi. Its really a well designed simple to use app.

          • AmbiguousProps@lemmy.today
            link
            fedilink
            English
            arrow-up
            0
            ·
            2 months ago

            Would you like to explain to my MIL about how to set up tailscale for her entire network so she can stream to her TV?

            • LainTrain@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              0
              ·
              edit-2
              1 month ago

              Download file from Google Drive link

              Download OpenVPN app

              Pick file in OpenVPN app

              Enter password

              Share WiFi from phone to TV

              Done

              Edit: idk why ppl are downvoting. This shit is the easiest way, not the best way

                • Appoxo@lemmy.dbzer0.com
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  arrow-down
                  1
                  ·
                  2 months ago

                  Does she drive or open bank accounts?
                  If the answer is yes, why is that so much harder?

                  And I work in tech support. With medical non-technical folks. Guiding them through the control panel oblindly on the phone.
                  I know what I am dealing with on the regular!