I mean, the worst that could happen is they delete everything on the server and I have to spend time restoring from a backup. Not exactly the riskiest thing to do.
I am using a non-privileged user on jellyfin.
Admin stuff needs to be done with a hidden user.
I might should be bothering to do rootless docker at some point…
depending what is on it, and your risk factor, theoretically an attacker can check known resource paths to confirm or deny whats on the server. That’s my main complaint currently on it is that the jellyfin team is aware of the fact that it doesn’t need authentication, but are looking for some miracle solution that won’t toss legacy clients out in order to fix, so therefore the issues are just perpetually open.
edit: it looks like some of these issues may be being worked on now that they moved the problemic protocal into a plugin. I hope that that means they will close them in the next few releases!
I’ve had my instance open to the internet for about two years with no issues.
So far. That you know of.
I mean, the worst that could happen is they delete everything on the server and I have to spend time restoring from a backup. Not exactly the riskiest thing to do.
Well, the worst that could happen is they start hosting CSAM out of your house and then the FBI knocks on your door.
Ok, fair enough. I don’t think that’s likely though.
I am using a non-privileged user on jellyfin.
Admin stuff needs to be done with a hidden user.
I might should be bothering to do rootless docker at some point…
depending what is on it, and your risk factor, theoretically an attacker can check known resource paths to confirm or deny whats on the server. That’s my main complaint currently on it is that the jellyfin team is aware of the fact that it doesn’t need authentication, but are looking for some miracle solution that won’t toss legacy clients out in order to fix, so therefore the issues are just perpetually open.
edit: it looks like some of these issues may be being worked on now that they moved the problemic protocal into a plugin. I hope that that means they will close them in the next few releases!