Comments (16)
So my preference for this would be for the install script that runs as root to choose random values and then insert these into the icecast XML file and seed the database. Then we can make this secure by default without requiring action by the user and they can modify it if they want. We will probably need to make the default streaming settings user configurable.
from libretime.
When going through the setup, I always presume that changing the rabbitmq password would break everything on the following pages... Autogenerating a secure password feels like the best way. Maybe have somewhere in admin/settings that displays it and allows it to be changed? (So Libretime and IceCast password remain in sync)
from libretime.
My understanding is to use the advanced rabbitmq setup with a different password if you prepared your server manually with a proper password. This google search shows me that the manual needs some info on manually setting up a secure rabbitmq.
The manual is also missing a walkthrough of the initial setup with more explanations, in fact I see no mention of the whole setup routine in the docs. We might opt to add links to this in the setup dialogs and also maybe reword the dialog.
from libretime.
Could we do something like this in the install script?
icecastPass=$(date | md5sum | cut -c1-9)
icecastConfig="/etc/icecast2/icecast.xml"
sed -E -i "s/()(.)(</source-password>)/\1$icecastPass\3/" $icecastConfig
sed -E -i "s/()(.)(</relay-password>)/\1$icecastPass\3/" $icecastConfig
sed -E -i "s/()(.)(</admin-password>)/\1$icecastPass\3/" $icecastConfig
sed -E -i "s/()(.)(</master-password>)/\1$icecastPass\3/" $icecastConfig
#update database with $icecastPass
from libretime.
continuing here the conversation started over in a docker repo ned-kelly/docker-multicontainer-libretime#20 (comment)
@Robbt in response to your comment re: security, any reason why editing icecast.xml would be more of a concern than the editing of other files, such as airtime.conf, that the installer is already doing?
from libretime.
I suppose it isn't a bigger security concern but it would involve altering the permissions for the icecast file so that www-data could right it or perhaps adding www-data to the icecast group. Whereas airtime.conf has only ever been owned by www-data. The path forward on multiple distributions is less obvious but could be figured out.
from libretime.
Then in addition we would need to load and parse the XML file and write the appropriate passwords etc back and then have the user reboot icecast2 at the end. I think the XML stuff can be done with Simple XML or DOMDocument. This should be doable but it'll take a little bit of work in a few different places and the appropriate troubleshooting.
from libretime.
Just a note: I have noticed that just restarting Icecast does not seem to reload icecast.xml
So I stop and then start it and it does.
from libretime.
@ned-kelly do you have any opinion on the approach @Robbt describes in his comment above?
from libretime.
Debian and Ubuntu already prompt to change the Icecast password when installing the icecast2 package.
I would also suggest that it be behind a prompt in the installer to account for people installing Icecast on a different server/already set the password/etc
from libretime.
@paddatrapper so maybe the way we are installing the deb packages is circumventing this prompt and we could re-enable it or somehow hook into it ? I don't want to reinvent the wheel here but I also don't want people to have hackme as their icecast password when they install it and don't know any better.
from libretime.
It is probably how we are installing it, using --quiet, which I think we do when installing using the script, will suppress these prompts.
My suggestion would be to not use that flag during install or promote the use of the LT deb once I get airtime-celery systemd unit running properly, because that will install using the prompt by default
from libretime.
So I started to do some research into the best way to edit an XML file via the command line in Linux and came upon XML starlet and this command sudo xmlstarlet ed -u /icecast/authentication/source-password -v nohack /etc/icecast2/icecast.xml
will for instance change the icecast.xml file - so it might be worth doing this in the install script.
Then we would also need to update the DEFAULT_ICECAST_PASS in airtime_mvc/application/configs/constants.php
to be a new value. It might make sense to using the install script to simply add random ones. I think once we save it in the DB liquidsoap should pull it automatically from the DB and put it in liquidsoap.cfg.
If we just did a random password then it might make sense to show it to the admin upon install so they can right it done. Or maybe make it accessible via the stream settings. Anything should be a step up from the current default of hackme.
from libretime.
So the database just pulls it from the preferences database - using setDefaultIcecastPassword while the constant is only pulled if there is nothing set in the database, so its a question of bootstrapping the whole process and probably adding something into the database that inserts it into the database. We would also need to replace this in defaultdata.sql - airtime_mvc/build/sql/defaultdata.sql:INSERT INTO cc_stream_setting ("keyname", "value", "type") VALUES ('s1_pass', 'hackme', 'string');
So the next step is to start coding an approach with the install file.
from libretime.
So we have a little bit of a chicken and an egg thing going on here, because when icecast2 is installed we don't have a database setup and the database isn't created until 'airtime_mvc/public/setup/database-setup.php' is ran during the installer.
So the question is do we store the icecast2 password somewhere so that the installer can read it and then add it to do the database later on in the install process and simply add a new function to the database-setup.php that reads from this file and inserts the appropriate data into the database.
I think I prefer this to having the installer and www-data being added to the icecast group and having write permissions for /etc/icecast.xml - as that would probably be a bigger liability than storing the icecast2 password in a temp file.
from libretime.
The installer doesn't need to be added to the icecast group, but I agree that a temp file would be better
from libretime.
Related Issues (20)
- Repeat show every N weeks
- Rename the stable branches to include the major version HOT 1
- Hardware Output Audio using ALSA breaks stream HOT 7
- Pre-commit CI failing HOT 2
- analyser: analyze_replaygain crash with a FLAC containing non utf8 data
- Nginx listening port error HOT 1
- Container build failing due to changes in docker/metadata action HOT 1
- upstream reference closed: github.com/docker/metadata-action/issues/381
- Audio glitches in iOS mobile devices (didn't tested on windows/android) HOT 1
- INGESTING https icecast streams does not work HOT 1
- Track type without associated code cannot be removed
- Make the duration (with start time & end time) of a show ajustable to the split second HOT 2
- [ERROR/ForkPoolWorker-1] podcast-download[php_...]: could not upload episode HOT 5
- upstream reference closed: github.com/errata-ai/Microsoft/issues/58
- celery 4.4.7 has a non-standard dependency specifier pytz>dev HOT 2
- upstream reference closed: github.com/katspaugh/wavesurfer.js/issues/736
- Would not login on a new tarball install (port mismatch) HOT 2
- Add ability to filter tracks to todays date
- Filter tracks by filename
- Reduce dead air time at end of block scheduling
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from libretime.