Comment on That's all folks, Plex is starting to charge for sharing
sudneo@lemm.ee 1 week agoWell, as an application it has a huge attack surface, it’s also able to download stuff from internet (e.g., subs) and many people run it on NAS. I run jellyfin in docker, I didn’t do a security assessment yet, but for sure it needs volume mounts, not sure about what capabilities it runs with (surely NET_BIND, and I think DAC_READ_SEARCH to avoid file ownership issues with downloaders?). Either way, I would never expose a service like that on the internet.
RaccoonBall@lemm.ee 1 week ago
This is also true about Plex which must also be exposed to the internet
sudneo@lemm.ee 1 week ago
No that’s the thing. Plex can also use their infra as a tunneling system. You can have remote streaming without exposing Plex publicly and without VPN. It is slow though.
Nibodhika@lemmy.world 1 week ago
Plex doesn’t even work properly unless you set it up with network mode host, otherwise it always considers your service to be remote because they’re not on the same network as anything you try to watch it from. Jellyfin requires lots less access, and you’re so worried about it you can add a Tailscale mod to the container and isolate it completely so it’s only accessible via Tailscale similarly to what you think Plex is doing (which doesn’t harden security as much as you think)
sudneo@lemm.ee 1 week ago
I presume you mean running Plex in host namespace. I don’t do that as I run the synology package, but I can totally see the issue you mean.
Running in host namespace is bad, not terrible, especially because my NAS in on a separate VLAN, so besides being able to reach other NAS local services, cannot do do much. Much much much less risk than exposing the service on the internet (which I also don’t).
Also, this all is not a problem for me, I don’t use remote streaming at all, hence why I am also experimenting with jellyfin. If I were though, I would have only 2 options: expose jellyfin on the internet, maybe with some hacky IP whitelist, or expect my mom to understand VPNs for her TV.
Would be nice to elaborate this. I think it reduces a lot of risk, compared to exposing the service publicly. Any vulnerability of the software can’t be directly exploited because the Plex server is not reachable, you need an intermediate point of compromise. Maybe Plex infra can be exploited, but that’s a massively different type of attack compared to the opportunities and no-cost “run shodab to check exposed Plex instances” attack.