I’m a software developer working in the telecam sector on security related products, so I know a fair bit about system security. Yet I wound secure my own system far less than most people here if I didn’t enjoy cybersecurity as a hobby.

I wonder what you are securing against? Some examples:

  • jellyfin: unless you have home videos on there, what does it matter if someone exfiltrates some movies? Surely you have basic DOS protection and/or region locking to reduce wasted network traffic, right?
  • linux: I assume nobody is using their servers as daily drive PCs, so what does it matter if somehow your system is superficially compromised. You can always reimage. Sure they could mine some bitcoin with your system, but it doesn’t have that much PSU headroom to cost you much on your bills, right?

It just seems like most attack vectors lead to mild annoyance at most for most systems.

Do you guys just enjoy cybersecurity? Do you actually keep sensitive data on your self hosted systems? Do you self-host on expensive hardware? What am I missing?

  • hirihit640@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    1
    ·
    5 hours ago

    With that setup, an attacker could mount the host filesystem to the container and would own the host from that container.

    Can you elaborate more on this? Assuming an attacker is in the Jellyfin container with full remote code execution, how could they mount the host filesystem?

    • Morgikan@fedia.io
      link
      fedilink
      arrow-up
      2
      ·
      5 hours ago

      It would depend on having access to misconfigured permissions or docker.sock like when you chain containers to manage other containers. Because you have access to docker.sock and that socket can send API calls to the docker daemon (which is run from root) those commands would inherit the same level of access. An attacker could make the API call to mount /:/root and then access the host filesystem.

      It’s just an example of how even though the container might not have anything worthwhile, it can be used to laterally move and open another door.

      • hirihit640@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        ·
        4 hours ago

        Got it. Access to docker.sock is definitely something to be wary of, or CAP_ADMIN, or access to certain host devices.

        Worth mentioning though that Jellyfin usually has none of these.

        • The Stoned Hacker@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          3 hours ago

          Also worth mentioning that Linux recently has had two massive privilege escalation vulnerabilities that bypass system namespacing and thus also provide container escapes.