A security vulnerability in NixOS’s Jellyfin module was discovered and reported by Sofie Finnes Øvrelid.
Summary
The Jellyfin module exposed Jellyfin’s state directory, which contains secrets, to all local users.
Resolution
The module has been updated to set the mode of the state directory to 0700, denying other users access to the files. The issue is fixed on the current state of nixos-unstable, nixos-22.05, and nixos-21.11. Updating systems running the jellyfin module, as well as rotating secrets that may have been exposed, is recommended.
Description
(courtesy of Sofie Finnes Øvrelid)
Current installation procedures on unstable will create /var/lib/jellyfin as a 755 folder where all configurations are world readable.
Impact
Secrets are accessible to all local users of the system. This includes:
- Session tokens, which can be used to hijack other users’ sessions
- Hashed passwords
- Configuration files, which may include credentials for other services.
References
fix on master branch: jellyfin: fix permissions on state directory by lheckemann · Pull Request #175729 · NixOS/nixpkgs · GitHub
fix on nixos-22.05 branch: [Backport release-22.05] jellyfin: fix permissions on state directory by github-actions[bot] · Pull Request #175761 · NixOS/nixpkgs · GitHub
fix on nixos-21.11 branch: [Backport release-21.11] jellyfin: fix permissions on state directory by github-actions[bot] · Pull Request #175760 · NixOS/nixpkgs · GitHub