ip:6544 is not secure it is ignoring parental settings on videos?

Have a MythTV related problem? Ask for help from other MythTV users here.

Moderator: Forum Moderators

Post Reply
mtvf2894
Junior
Posts: 81
Joined: Sat Apr 10, 2021 2:33 pm
Great Britain

ip:6544 is not secure it is ignoring parental settings on videos?

Post by mtvf2894 »

Just tried accessing http://ip:6544 and all Video - Video Gallery (MythVideo) entries are visible completely ignoring the parental settings that are prompted for when using the frontend application?

Does anyone have any ideas on how this could be solved? I have tried looking for a password option in the backend settings but can't find anything that seems related?

v31

Thanks
Current: v32 now v33.1 / Lubuntu 22.04 / AMD APU
Previous: v31 / Lubuntu 20.10 / AMD APU
Historic: Mythbuntu / NVIDIA GFX
User avatar
paulh
Developer
Posts: 909
Joined: Thu Feb 06, 2014 6:09 pm
Great Britain

Re: ip:6544 is not secure it is ignoring parental settings on videos?

Post by paulh »

You can password protect some or all the Service API urls but not sure if that is what you are looking for.
viewtopic.php?t=3193
User avatar
bill6502
Developer
Posts: 2307
Joined: Fri Feb 07, 2014 5:28 pm
United States of America

Re: ip:6544 is not secure it is ignoring parental settings on videos?

Post by bill6502 »

In the above, using / will block everything (more than using All). That will prevent
unauthorized access to ipOrHostname:6544 too. But there's nothing to honor
parental settings. 3rd party apps can and have set their own blocking UI.

/, by the way is likely to block UPnP. There's work afoot in master to decouple
UPnP from the API.
mtvf2894
Junior
Posts: 81
Joined: Sat Apr 10, 2021 2:33 pm
Great Britain

Re: ip:6544 is not secure it is ignoring parental settings on videos?

Post by mtvf2894 »

I did the following and it seems to have locked down the http pages as it requests username and password now for all pages it seems:

Code: Select all

curl --data AdminPassword=mythtv\&Services=/ http://backend:6544/Myth/ManageUrlProtection
However, when I now try remove the protection all curl commands fail with a 401 error.

I have tried the following but they all output a html page with error 401 unauthorised.

Code: Select all

curl --data AdminPassword=mythtv\&Services=None http://admin:mythtv@backend:6544/Myth/ManageUrlProtection
curl -u admin:mythtv --data AdminPassword=mythtv\&Services=None http://backend:6544/Myth/ManageUrlProtection
curl -u admin --data AdminPassword=mythtv\&Services=None http://backend:6544/Myth/ManageUrlProtection
Any suggestions on how to get the curl commands working again?

I have had the curl commands working again but I was repeating my steps to ensure I understood everything but must have done something different as it isn't now.

Thanks

(v31 / Ubuntu 20.10)
Current: v32 now v33.1 / Lubuntu 22.04 / AMD APU
Previous: v31 / Lubuntu 20.10 / AMD APU
Historic: Mythbuntu / NVIDIA GFX
User avatar
bill6502
Developer
Posts: 2307
Joined: Fri Feb 07, 2014 5:28 pm
United States of America

Re: ip:6544 is not secure it is ignoring parental settings on videos?

Post by bill6502 »

Hi,

The default is --basic authentication.

Use: curl --digest --user admin:mythtv --data AdminPassword=mythtv\&Services=None yourBackend:6544/Myth/ManageUrlProtection
mtvf2894
Junior
Posts: 81
Joined: Sat Apr 10, 2021 2:33 pm
Great Britain

Re: ip:6544 is not secure it is ignoring parental settings on videos?

Post by mtvf2894 »

Thanks that has allowed me to set to None now :D

For whatever reason though using / doesn't work now (it returns false) or perhaps it never worked and and it was All that worked.

For reference these are the services I have come across so far. Not sure how to get it back to default where Setup is protected and possibly other menu items but just in case this helps anyone else.

Code: Select all

None
All
/ (not working for me)
Myth
Dvr
Video
Current: v32 now v33.1 / Lubuntu 22.04 / AMD APU
Previous: v31 / Lubuntu 20.10 / AMD APU
Historic: Mythbuntu / NVIDIA GFX
User avatar
bill6502
Developer
Posts: 2307
Joined: Fri Feb 07, 2014 5:28 pm
United States of America

Re: ip:6544 is not secure it is ignoring parental settings on videos?

Post by bill6502 »

All = /Capture;/Channel;/Content;/Dvr;/Guide;/Music;/Myth;/Video

/ isn't actually valid, the ManageUrlProtection endpoint returns false, as you found.
Sorry about that. / was removed after a tester used All and MythTV's UPnP was shut
down. I did use SQL to add it just to verify that backend:6544 was protected by
it.

You can look at the setting with: curl yourBackend:6544/Myth/GetSetting?Key=HTTP/Protected/Urls\&HostName=_GLOBAL_

Note that the command line isn't the primary intent of the API, it's more for other clients (apps).
mtvf2894
Junior
Posts: 81
Joined: Sat Apr 10, 2021 2:33 pm
Great Britain

Re: ip:6544 is not secure it is ignoring parental settings on videos?

Post by mtvf2894 »

Thanks everyone for help.
Current: v32 now v33.1 / Lubuntu 22.04 / AMD APU
Previous: v31 / Lubuntu 20.10 / AMD APU
Historic: Mythbuntu / NVIDIA GFX
User avatar
stuarta
Developer
Posts: 220
Joined: Wed Feb 05, 2014 5:13 pm
Great Britain

Re: ip:6544 is not secure it is ignoring parental settings on videos?

Post by stuarta »

tbh, i doubt that ever worked. that code only ever reached "mostly complete".
The replacement is currently at "hello world" :)
mtvf2894
Junior
Posts: 81
Joined: Sat Apr 10, 2021 2:33 pm
Great Britain

Re: ip:6544 is not secure it is ignoring parental settings on videos?

Post by mtvf2894 »

I recently updated to v33.1 and now there is no password when I access http://backend:6544

Has this functionality been removed?

If it is no longer possible is there any workaround to stop access to listing/viewing anything via http:6544 that may have a parental setting set currently it ignores the parental settings and lists all videos you can also set and remove recordings which isn't great either.

Code: Select all

curl --data AdminPassword=mythtv\&Services=/ http://host:6544/Myth/ManageUrlProtection
<?xml version="1.0" encoding="UTF-8"?><bool>false</bool>

curl --data AdminPassword=mythtv\&Services=All http://host:6544/Myth/ManageUrlProtection
<?xml version="1.0" encoding="UTF-8"?><bool>true</bool>
Current: v32 now v33.1 / Lubuntu 22.04 / AMD APU
Previous: v31 / Lubuntu 20.10 / AMD APU
Historic: Mythbuntu / NVIDIA GFX
User avatar
pgbennett
Developer
Posts: 503
Joined: Mon Apr 27, 2015 5:41 pm
United States of America

Re: ip:6544 is not secure it is ignoring parental settings on videos?

Post by pgbennett »

Little to no effort has been made to secure MythTV. It is not a banking application. It does have IP level protection to prevent access from other subnets, so unless you override it in setup, people on the internet will not be able to access your backend.

Port 6544 code is being replaced by new code that is now available on port 6744. It is a complete rewrite and much is still to be done.

What problem are you trying to solve? Do you have people in your house who know how to download videos via port 6544 and watch them? Perhaps we can find a solution and build in better security in the rewrite.
mtvf2894
Junior
Posts: 81
Joined: Sat Apr 10, 2021 2:33 pm
Great Britain

Re: ip:6544 is not secure it is ignoring parental settings on videos?

Post by mtvf2894 »

pgbennett wrote:
Tue Apr 18, 2023 12:00 am
Perhaps we can find a solution and build in better security in the rewrite.
First I just want to give thanks for you being a developer of MythTV - it is great. I appreciate you can't do everything and often I guess your time goes without any thanks at all!

100% agree MythTV is not a banking application but it would be great if any web frontend of functionality can use the same "security" as the frontend application which equally isn't a banking application ;)

1. You can specify parental controls on MythVideos which require a "password" to view. Now the web frontend 6544 completely ignores this and the previous workaround of password protecting all of 6544 no longer works. It wouldn't be too bad if when you click Video Gallery in 6544 it only lists videos where their corresponding access password is blank. This means any potentially unsuitable video isn't listed.

2. You can use a menu theme the hide various menu options and even "password" protect them. The web frontend 6544 completely ignores this and the previous workaround of password protecting all of 6544 no longer works.

3. You can set a "password" to view a recgroup. The web frontend 6544 completely ignores this and the previous workaround of password protecting all of 6544 no longer works. It wouldn't be too bad if when a page is displaying it would only allow recgroups/recordings where corresponding recgroup password is blank. This means any potentially unsuitable recording isn't listed.

The cat is out of the bag I guess there is nothing I can do now. If there is a simple fix great but I appreciate users who are using the password functionality are in a massive minority so efforts are better used elsewhere.
Current: v32 now v33.1 / Lubuntu 22.04 / AMD APU
Previous: v31 / Lubuntu 20.10 / AMD APU
Historic: Mythbuntu / NVIDIA GFX
Post Reply