Login at Kodi Home

PackhardHell · 2022-03-01, 13:17

first of all:
I have little to no knowledge about setting up networks, user rights and security concepts.

my setup:
My Raspberry Pi 4 runs libreelec/kodi, is connected to my home network and my TV. An 2bay external HDD case with 2x1 TB (JBOD, NTFS file system with some mkv- and mp3-files on it) is connected via USB to the raspi. I just bought a 2bay NAS (qnap TS-230) with freshly installed 2x 1TB HDDs (as static volumes) for the purpose of putting mkv- and mp3-files on it, so I can play them on my raspi and maybe on my android tablet (with VLC player). Last but not least I have a Windows 10 PC in daily use in the network.

my questions:
- since I am a noob in regards of security and configuration, what are the main steps to make libreelec more safe than the default state?
- what are the main differences between "profiles" and "users"?
- if I set up users with read-only-rights - what might be a good concept?
- do I have to set up user rights within libreelec and kodi separately?

bonus question:
- since I only play mkv- and mp3-files from LE/kodi which I provide from sources which don't come from the raspi/LE/kodi - does the LE/kodi need internet connection at all?

**Klojum** · (This post was last modified: 2022-03-01, 16:18 by Klojum.)

(2022-03-01, 13:17)PackhardHell Wrote: what are the main steps to make libreelec more safe than the default state?

There aren't many at all. LibreELEC is a vanilla Linux setup with only the bells and whistles to run Kodi. It is not a full-blown OS/distro. One thing you could do is fiddle with iptables as a form of a firewall, but that requires an advanced/expert Linux skill. The question perhaps is: how safe do you want/need it to be?

(2022-03-01, 13:17)PackhardHell Wrote: what are the main differences between "profiles" and "users"?

Profiles are different setups for internal Kodi "users". LibreELEC has only 1 system user: root. It has access to everything. LibreELEC by default has readonly system partition. It can be accessed but you need to know what you're doing.

(2022-03-01, 13:17)PackhardHell Wrote: if I set up users with read-only-rights - what might be a good concept?

Setting up multiple system users is not possible in LibreELEC. See the previous question.

(2022-03-01, 13:17)PackhardHell Wrote: do I have to set up user rights within libreelec and kodi separately?

As already outlined, you can only use different profiles in Kodi. These only apply to Kodi sources, databases and add-ons.

(2022-03-01, 13:17)PackhardHell Wrote: bonus question:

Kodi does not require internet access for playing videos. You wlll need internet access when you want to scan your video/music sources for metadata and fanart into the Kodi databases.

**Klojum** · 2022-03-01, 16:20

Also I'm not sure if LibreELEC is the main security problem here. Your QNAP Nas may have a bigger issue: https://www.qnap.com/en/security-news/20...e-qnap-nas

PackhardHell · 2022-03-01, 17:26

Thank you so much for your answer which helped more than you might imagine.

(2022-03-01, 16:01)Klojum Wrote:

(2022-03-01, 13:17)PackhardHell Wrote: what are the main differences between "profiles" and "users"?
Profiles are different setups for internal Kodi "users". LibreELEC has only 1 system user: root. It has access to everything. LibreELEC by default has readonly system partition. It can be accessed but you need to know what you're doing.

I've read a general tutorial about setting up RaspberryPiOS where they recommended to change a root password first thing after setting up:

Code:

sudo -i

passwd

Would this or something similar make sense for LE, too?

(2022-03-01, 16:20)Klojum Wrote: Also I'm not sure if LibreELEC is the main security problem here. Your QNAP Nas may have a bigger issue: https://www.qnap.com/en/security-news/20...e-qnap-nas

Yeah, I've heard about it, flashed newest firmware, deinstalled all other apps and took it from the internet in the router...thx anyway.

**Klojum** · 2022-03-01, 18:01

(2022-03-01, 17:26)PackhardHell Wrote: I've read a general tutorial about setting up RaspberryPiOS where they recommended to change a root password first thing after setting up:
Would this or something similar make sense for LE, too?

Raspberry Pi OS is a full OS, LibreELEC is not. So the comparison is not really useful.
And no. As already explained, LibreELEC only has one user, and LibreELEC does not have the sudo command onboard.

(2022-03-01, 17:33)PackhardHell Wrote: In a RaspiOS tutorial I read they said to change set/change root password, etc right after setup:

LibreELEC has the option to change the password for SSH access. You will be notified of that during the initial start of the LibreELEC startup wizard. Or you can simply turn off SSH access as a backdoor altogether.

(2022-03-01, 17:33)PackhardHell Wrote: Should I do something similar with libreelec, first?

There is nothing similar in LibreELEC. The best thing to do for now is use SMBv2 or higher (or NFS) as your file protocol. I think your Windows PC has a bigger chance to compromise your network than a LibreELEC device.

PackhardHell · 2022-03-01, 18:47

(2022-03-01, 18:01)Klojum Wrote:
(2022-03-01, 17:26)PackhardHell Wrote: I've read a general tutorial about setting up RaspberryPiOS where they recommended to change a root password first thing after setting up:
Would this or something similar make sense for LE, too?
Raspberry Pi OS is a full OS, LibreELEC is not. So the comparison is not really useful.
And no. As already explained, LibreELEC only has one user, and LibreELEC does not have the sudo command onboard

but does libreelec has some saftey features like at least an own password (it has been quite a while ago since I set up libreelec via GUI and don't remember anymore)

(2022-03-01, 18:01)Klojum Wrote:
(2022-03-01, 17:33)PackhardHell Wrote: Should I do something similar with libreelec, first?
There is nothing similar in LibreELEC. The best thing to do for now is use SMBv2 or higher (or NFS) as your file protocol. I think your Windows PC has a bigger chance to compromise your network than a LibreELEC device.

Ok, I'll give SMBv3 a try since it is supported by my devices (Router, NAS, W10-PC, hopefully also Anbdroid-Tablet). This will bring me back to my initial question about the user-rights-concept:

where do I start?
within the GUI of the NAS,
- I could create a read-only-user within the NAS which I could name "libreelec" and connect to this user from the raspi?
- then, on the NAS I create another user with read-only called "w10" and then establish smbv4 from my windows pc to it?
- after all, I create another NAS-user called "tablet" and do the same on the tablet?

**Klojum** · (This post was last modified: 2022-03-01, 19:40 by Klojum.)

A readonly user on the NAS for the RPi to connect is possible. A 2nd and 3rd readonly user for the Win PC and tablet I don't understand. Unless you want to have different users access different video files. Basically you only need 1 user on the NAS for all Kodi devices to access the video files. In Kodi you can best use the "Add network location..". Enter all details and credentials, and "things should work".™

How you are going to store new videos onto the NAS, is then a different matter for you to solve.

jmgibson1981 · 2022-03-21, 01:31

Part of managing risk is thinking about how much of a risk you are at. A good principle to follow is the principle of least privilege. No reason to give global network write access if you don't have to. No reason making it available at all to anywhere it won't be used. Stuff like that. The LibreElec Pi is the bottom your security threats imho and easily replaceable / fixable. Your storage server / nas is what you need to worry about. Again, least privilege.