A security vulnerability in NixOS’s Jellyfin module was discovered and reported by Sofie Finnes Øvrelid.
The Jellyfin module exposed Jellyfin’s state directory, which contains secrets, to all local users.
The module has been updated to set the mode of the state directory to 0700, denying other users access to the files. The issue is fixed on the current state of nixos-unstable, nixos-22.05, and nixos-21.11. Updating systems running the jellyfin module, as well as rotating secrets that may have been exposed, is recommended.
(courtesy of Sofie Finnes Øvrelid)
Current installation procedures on unstable will create
/var/lib/jellyfin as a
755 folder where all configurations are world readable.
Secrets are accessible to all local users of the system. This includes:
- Session tokens, which can be used to hijack other users’ sessions
- Hashed passwords
- Configuration files, which may include credentials for other services.
fix on master branch: jellyfin: fix permissions on state directory by lheckemann · Pull Request #175729 · NixOS/nixpkgs · GitHub
fix on nixos-22.05 branch: [Backport release-22.05] jellyfin: fix permissions on state directory by github-actions[bot] · Pull Request #175761 · NixOS/nixpkgs · GitHub
fix on nixos-21.11 branch: [Backport release-21.11] jellyfin: fix permissions on state directory by github-actions[bot] · Pull Request #175760 · NixOS/nixpkgs · GitHub