I just set up Pi MusicBox, intending to use it for my whole-house audio solution.
However, the first thing I noticed is that the Web UI allows you to set the root password, and it’s not restricted to only the first time it’s changed. Since the Web UI is not, itself, password protected, any user on the local network can change the root password and enable SSH, and there does not seem to be any way to close this security issue.
This also raises other questions: is the PiMusicBox web app running on the root user? It must be, if it has permission to change root’s password.
Are there any steps that can be taken to close these security holes? Is this something that has been reported before?