I’ve heard jellyfin has a lot of security issues, which I don’t know if that’s accurate or not. But the BIGGEST issue is lack of a proper tvOS app. I really don’t feel like using Infuse or some other app just to use my library. Year after year I hear about people switching and yet, the gap is simply still there.
The biggest known stuff I saw on their GitHub is that a number of the exposed service URLs under the hood don’t require auth. So, it’s open-source with known requirements, you can tell easily from the outside that it’s running, and you can cause it to activate a LOT of packages without logging in. That’s a zero-day in any package that can be passed a payload away from disaster.
AS far as TVOS, I’m kinda surprised swiftfin doesn’t service you.
Assuming this is all true, sure its not great but how much does it matter?
Most have jellyfin in a docker. My jellyfin can’t only has read only accses to the media folder. Only the config folder has write access. Assuming the worst case scenario here, how much damage can than do?
To be fair there is a tvOS app in development but progress is slow because the whole project is maintained by a small handful of volunteers. They’ve put out a call for help and the maintainers post updates here
I am also not up to date on Jellyfin security issues but the biggest one I care about is that its clients don’t support OIDC. There’s a neat plugin for OIDC, but without client support it only works with the web client and I’m not a fan of leaving login pages open to the internet.
if you use the oidc connection and apps that support quick connect you can do it. you basically end up doing things like the plex link process that got implemented when they forced everyone into their authentication service. i almost went that route but opted to leave the password auth from ldap in. its the kind of log in process most people are used too and i’ve got a few elderly users. i disabled password reset in authentik though and everyone gets a 3 word 24 char minimum password.
Yeah, Samsung TVs don’t have a native Jellyfin app either. You can sideload it, but good luck walking your “you touched my computer six months ago and now it’s broken. This is your fault” grandmother through that over the phone.
I just validated that the latest version of the LDAP privilege escalation issue is not an issue anymore. The curl script is in the ticket.
This was the one where a standard user could get plugin credentials, such as the LDAP bind user, and change the LDAP endpoint. I.E., bad.
I chose this one because after going through all of them, it was the only one that allowed access to something that wasn’t just data in Jellyfin.
So for me, security is less of an issue knowing that, as only family use the service, and the remaining issues all require a logged in user (hit admin endpoint with user token).
Plus, I tried a few of those and they were also fixed, just not documented yet. I didn’t add to those tickets because I was not as formal with my testing.
Oh interesting, it’s been a while since I have tried to use Apple TV (roughly 7 years or so - I don’t use any Apple devices anymore), this wasn’t available at the time so I’m glad to see there’s finally some native support.
there’s been a LOT of progress on jellyfin, especially the past year or so. i’ve been using plex since it forked from xbmc, it ran on the bottom half of a laptop connected to a mostly working projector, both rescued from a dumpster. it’s been a fantastic platform for a long time. but i’ve also wanted off plex since they rolled out the plex account req. jellyfin is finally there for me at least.
https://github.com/jellyfin/Swiftfin is available for tvOS. works great for me with one bug. since i have homepods connected to one of my apple tv’s as it’s speakers. i had to change the setting to use the native video player instead of vlc to avoid and audio delay bug. that cost me the auto play next episode function. i though not auto playing the next episode would annoy me, but it’s turned out to not be a issue at all. but infuse doesn’t include that bug if you want both homepod tv speakers and auto play next episode with jellyfin. as for security, since jellyfin is more modifiable it has a lot more room for misconfiguration for sure. plex had plenty of it’s own security issues, we just only heard about them when some security blogger discovered it.
misconfiguration here i think is a dangerous way to phrase it… it implies that there is a secure way to run jellyfin on its own. jellyfin, by itself, should never be exposed to the www. it is, no matter the configuration, insecure. to run jellyfin on the www you must put a VPN or other reverse proxy with auth over the top of it
I’ve heard jellyfin has a lot of security issues, which I don’t know if that’s accurate or not. But the BIGGEST issue is lack of a proper tvOS app. I really don’t feel like using Infuse or some other app just to use my library. Year after year I hear about people switching and yet, the gap is simply still there.
The biggest known stuff I saw on their GitHub is that a number of the exposed service URLs under the hood don’t require auth. So, it’s open-source with known requirements, you can tell easily from the outside that it’s running, and you can cause it to activate a LOT of packages without logging in. That’s a zero-day in any package that can be passed a payload away from disaster.
AS far as TVOS, I’m kinda surprised swiftfin doesn’t service you.
swiftfin is mostly there but doesn’t support media segments, which is a deal breaker for me
really unfortunate since jellyfin media segments is a much better implementation of the concept than plex
i’m watching the swiftfin issue for when it gets added and i’ll be all over compiling and testing it
Assuming this is all true, sure its not great but how much does it matter?
Most have jellyfin in a docker. My jellyfin can’t only has read only accses to the media folder. Only the config folder has write access. Assuming the worst case scenario here, how much damage can than do?
A lot of neophyte self hosters Will try running the binary in Windows instead. Experienced self hosters will indeed use docker.
Then out of the ones that are using docker some of them will set it up as privileged.
And then how many of those people actually make read-only versus how many just add the path and don’t think about it.
Don’t confuse your good practices with what the average person will do.
To be fair there is a tvOS app in development but progress is slow because the whole project is maintained by a small handful of volunteers. They’ve put out a call for help and the maintainers post updates here
I am also not up to date on Jellyfin security issues but the biggest one I care about is that its clients don’t support OIDC. There’s a neat plugin for OIDC, but without client support it only works with the web client and I’m not a fan of leaving login pages open to the internet.
if you use the oidc connection and apps that support quick connect you can do it. you basically end up doing things like the plex link process that got implemented when they forced everyone into their authentication service. i almost went that route but opted to leave the password auth from ldap in. its the kind of log in process most people are used too and i’ve got a few elderly users. i disabled password reset in authentik though and everyone gets a 3 word 24 char minimum password.
Use an LDAP to OIDC bridge?
Yeah, Samsung TVs don’t have a native Jellyfin app either. You can sideload it, but good luck walking your “you touched my computer six months ago and now it’s broken. This is your fault” grandmother through that over the phone.
I just validated that the latest version of the LDAP privilege escalation issue is not an issue anymore. The
curlscript is in the ticket.This was the one where a standard user could get plugin credentials, such as the LDAP bind user, and change the LDAP endpoint. I.E., bad.
I chose this one because after going through all of them, it was the only one that allowed access to something that wasn’t just data in Jellyfin.
So for me, security is less of an issue knowing that, as only family use the service, and the remaining issues all require a logged in user (hit admin endpoint with user token).
Plus, I tried a few of those and they were also fixed, just not documented yet. I didn’t add to those tickets because I was not as formal with my testing.
@[email protected]
Op already said they were behind authentik
There also absolutely are apps for tv oses like Android, I use one daily.
I think they meant Apple’s “tvOS” - which powers the Apple TV set top box.
There’s no client for it, if I had to take a guess it’s likely due to the costs of doing so.Edit: Whoops, it appears I’m a bit out of date on this.
https://github.com/jellyfin/Swiftfin i’ve got 5 apple tv users, two android tv and one webostv
Oh interesting, it’s been a while since I have tried to use Apple TV (roughly 7 years or so - I don’t use any Apple devices anymore), this wasn’t available at the time so I’m glad to see there’s finally some native support.
there’s been a LOT of progress on jellyfin, especially the past year or so. i’ve been using plex since it forked from xbmc, it ran on the bottom half of a laptop connected to a mostly working projector, both rescued from a dumpster. it’s been a fantastic platform for a long time. but i’ve also wanted off plex since they rolled out the plex account req. jellyfin is finally there for me at least.
Oh lol, of course apple just calls it TV OS
https://github.com/jellyfin/Swiftfin is available for tvOS. works great for me with one bug. since i have homepods connected to one of my apple tv’s as it’s speakers. i had to change the setting to use the native video player instead of vlc to avoid and audio delay bug. that cost me the auto play next episode function. i though not auto playing the next episode would annoy me, but it’s turned out to not be a issue at all. but infuse doesn’t include that bug if you want both homepod tv speakers and auto play next episode with jellyfin. as for security, since jellyfin is more modifiable it has a lot more room for misconfiguration for sure. plex had plenty of it’s own security issues, we just only heard about them when some security blogger discovered it.
misconfiguration here i think is a dangerous way to phrase it… it implies that there is a secure way to run jellyfin on its own. jellyfin, by itself, should never be exposed to the www. it is, no matter the configuration, insecure. to run jellyfin on the www you must put a VPN or other reverse proxy with auth over the top of it