Root password can be changed by anyone on local network, and is transmitted in the clear

I just set up Pi MusicBox, intending to use it for my whole-house audio solution.

However, the first thing I noticed is that the Web UI allows you to set the root password, and it’s not restricted to only the first time it’s changed. Since the Web UI is not, itself, password protected, any user on the local network can change the root password and enable SSH, and there does not seem to be any way to close this security issue.

This also raises other questions: is the PiMusicBox web app running on the root user? It must be, if it has permission to change root’s password.

Are there any steps that can be taken to close these security holes? Is this something that has been reported before?

Hi

Yes, it runs as root. Yes it’s been reported before and yes it’s bad practice. I had put this all off until the next major release but that was a long time ago now.

Your idea to have the root password only changeable (via websettings) one time is a good one since it might be relatively painless to implement right now.

Pull requests very welcome for that and/or implementing a password for the websettings page.