piCorePlayer: security

**peterw** · 2019-04-01, 02:57

Greg, I am still playing with pCP a bit.

Frankly the biggest problem is finding a case for a touchscreen that will work with (and enclose and protect) a 3B+ and an I2S DAC.** :-) The Smartipi case with optional extended backs is about the best I've found so far, but it looks not quite polished/tidy enough for some rooms. :-(

For the httpd I'm pretty comfortable with my loopback binding and tunneling through ssh. At least with that sshd is the only listening daemon. BTW I'm glad you chose OpenSSH instead of something like dropbear.

I also played with Ubuntu Mate today and ooh, boy, Jivelite on pCP is soo much snapper than my first attempt at Squeezeplay on Mate on Pi that it's hard to imagine Mate being viable. pCP with a 3B+ seems likely to be snappier than my Touch but I expect Mate would be a step backward.

** I'd especially like one in which I could fit an IR receiver and a rotary encoder knob for Radio-style quick volume control.

**cfuttrup** · 2019-04-02, 17:44

Originally posted by peterw

Frankly the biggest problem is finding a case for a touchscreen that will work with (and enclose and protect) a 3B+ and an I2S DAC.** :-) The Smartipi case with optional extended backs is about the best I've found so far, but it looks not quite polished/tidy enough for some rooms. :-(

Hi Peter

I've had success with the DesignSpark case and a Dremel tool. Please see: http://www.cfuttrup.com/touch_upgrade.html

... but yes, finding a good case for a different board and/or with different features requires some work, or you use a setup without a rear cover, or you design your own (maybe 3D printed). Another option is to connect the pieces with cables and e.g. use one of the Audiophonics cases.

/Claus

**peterw** · 2019-04-02, 23:11

Originally posted by cfuttrup

Hi Peter

I've had success with the DesignSpark case and a Dremel tool. Please see: http://www.cfuttrup.com/touch_upgrade.html

... but yes, finding a good case for a different board and/or with different features requires some work, or you use a setup without a rear cover, or you design your own (maybe 3D printed). Another option is to connect the pieces with cables and e.g. use one of the Audiophonics cases.

Claus, hanks for the info & suggestions. I spent a bunch of time on Thingverse the other day, and this project looked pretty good, a revised cap for a widely available case that looks sufficient for an audio HAT: https://www.thingiverse.com/thing:2268017

**cfuttrup** · 2019-04-03, 18:01

Originally posted by peterw

a widely available case that looks sufficient for an audio HAT: https://www.thingiverse.com/thing:2268017

Yup, that's the DesignSpark case that I'm using, and it looks like a nice 3D-printed extension.

/Claus

**Greg Erskine** · 2019-06-14, 07:08

RE: pCP5.0.0

One small step towards increased security, for those that can't wait for the Web GUI to be updated and know vi.

The httpd web server now uses a configuration file /etc/httpd.conf

Code:

$ sudo cat httpd.conf
# Maintained by piCorePlayer
H:/home/tc/www
#/cgi-bin:admin:admin

Just remove the # on the last line and make sure there is a newline added to the end of the last line.

Do a $ pcp br

The browser will now prompt for a user name and password. Default is admin/admin.

regards
Greg

**cfuttrup** · 2019-06-17, 18:27

Grazie mille :-)

**trigdog** · 2019-08-14, 22:07

Originally posted by Greg Erskine

Just remove the # on the last line and make sure there is a newline added to the end of the last line.

This is great. Is there anyway to change the default WWW_PORT="80" in the config to something like 8080? It would be nice if I could change the LMS to 80 instead of 9000.

**paul-** · 2019-08-14, 22:12

You should be able to add SERVER_PORT=8080 to the config.

Not sure why you would want to change LMS interface.......we don't offer a way to do that.

**Greg Erskine** · 2019-08-14, 23:39

hi trigdog,

Originally posted by trigdog

Is there anyway to change the default WWW_PORT="80" in the config to something like 8080?

This option will be available in pCP6.0.0 when we release it. Best to wait.

If you are using pCP6.0.0-b1 you *may* be able to edit your pcp config file manually (/usr/local/etc/pcp/pcp.cfg)?

Originally posted by trigdog

It would be nice if I could change the LMS to 80 instead of 9000.

You can't do this.

Most people only change the LMS port if it clashes with other software. 9001 is usually used.

We offer only this option on the [Tweaks] page. Please read the note carefully.

regards
Greg

**trigdog** · 2019-08-14, 23:56

Originally posted by Greg Erskine

If you are using pCP6.0.0-b1 you *may* be able to edit your pcp config file manually (/usr/local/etc/pcp/pcp.cfg)?

Actually, I just tried this on 5.0 before I saw this reply....it seems to have worked just fine when I edited manually and used "pcp br" to reboot afterward. Is that not suppose to work in 5.0?

**trigdog** · 2019-08-15, 00:04

Originally posted by Greg Erskine

You can't do this.

Most people only change the LMS port if it clashes with other software. 9001 is usually used.

I see LMS doesn't support 80 now. I was just trying to make a more user friendly url to get to the LMS server. I created a host file record in my pi-hole DNS server that redirects the domain: my.music to the IP of the PCP LMS server...I just can't redirect to a specific port using DNS. Maybe I can create a redirect with busybox httpd from 80 to 9000....will investigate. Thanks.

**Greg Erskine** · 2019-08-15, 00:54

Some people consider using port 80 to be less secure because it is the http default.

The LMS http port number is really not part of piCorePlayer security. It might confuse people talking about it in the same thread/post/paragraph as piCorePlayer http port.

**trigdog** · 2019-08-15, 01:30

Originally posted by Greg Erskine

Some people consider using port 80 to be less secure because it is the http default.

Agreed which is why I replied here. I also agree the LMS stuff is off topic, sorry about that.

**peterw** · 2020-05-16, 14:52

Originally posted by Greg Erskine

This option will be available in pCP6.0.0 when we release it. Best to wait.

I just wanted to say thanks to the pCP crew for adding the Security page to the Beta web UI for 6.0! I do hope you'll promote that to the mainstream admin UI, although I suggest you consider a few tweaks:
1) add a Password Confirmation input on the httpd settings page
2) add a note that the pCP settings will be saved as soon as the change is applied (I expected that they would NOT be, that I would be able to verify that I could still access the httpd and sshd after setting passwords and just power cycle the Pi if I goofed somehow)
3) incorporate CSRF protection into the web UI, at least Referer checks. It seems too easy to use CSRF with mere GET requests to effect significant changes on the pCP. Even those w/ authentication required for the web UI are vulnerable to CSRF attacks.

Thanks!

**Greg Erskine** · 2020-05-16, 22:21

Originally posted by peterw

I just wanted to say thanks to the pCP crew for adding the Security page to the Beta web UI for 6.0! I do hope you'll promote that to the mainstream admin UI, although I suggest you consider a few tweaks:
1) add a Password Confirmation input on the httpd settings page
2) add a note that the pCP settings will be saved as soon as the change is applied (I expected that they would NOT be, that I would be able to verify that I could still access the httpd and sshd after setting passwords and just power cycle the Pi if I goofed somehow)
3) incorporate CSRF protection into the web UI, at least Referer checks. It seems too easy to use CSRF with mere GET requests to effect significant changes on the pCP. Even those w/ authentication required for the web UI are vulnerable to CSRF attacks.

Thanks!

Hi peterw,

Thanks for the feedback. I've added your requests to my list of things todo.

Regarding #3, there was a forth page that didn't make it into production that disabled the http server (after a few minutes). I think, you can manually change GUI_DISABLE="0" in the pcp.cfg to a few minutes. The CLI setup command ($ setup) has the option to turn off the GUI but it is either on or off, no grace period after reboot.

regards
Greg

piCorePlayer: security

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment