Yeeek. That?s a lot of options :)
As someone who is pretty savvy but has only ever left Icecast authentication at
the defaults, are there any examples, as I need to get it turned off pretty
quickly.
Also, as there is no ?publicstats? in the admin dir, I?m guessing it is aliased
somewhere. A grep finds:
src/acl.c: acl_set_admin_str(ret, ACL_POLICY_ALLOW,
"buildm3u,publicstats,publicstats.json");
src/admin.c:#define PUBLICSTATS_RAW_REQUEST "publicstats"
src/admin.c:#define PUBLICSTATS_JSON_REQUEST
"publicstats.json"
src/admin.c: { PUBLICSTATS_RAW_REQUEST, ADMINTYPE_HYBRID,
ADMIN_FORMAT_RAW, ADMINSAFE_SAFE, command_public_stats, NULL},
src/admin.c: { PUBLICSTATS_JSON_REQUEST, ADMINTYPE_HYBRID,
ADMIN_FORMAT_JSON, ADMINSAFE_SAFE, command_public_stats, NULL},
?but not sure if I should start messing around in ?c? files. I?m a js guy ;)
> On 21 Jan 2024, at 11:03, Philipp Schafft <phschafft at
de.loewenfelsen.net> wrote:
>
> Good morning,
>
> On Sun, 2024-01-21 at 10:39 +0000, TDAS wrote:
>> Can anyone tell me why /admin/publicstats is unprotected? And how I
>> go about changing that!?
>>
>> I don?t understand why it would be accessible by anyone without
>> authenticating when it is under /admin/ ??
>
> The endpoint is meant to be a replacement for /status-json.xsl which it
> deprecates.
>
> The admin/-namespace is basically everything that is not user provided.
> It might not be the best name, but it's called that for historical
> reasons?.
>
> Endpoints in the admin/-namespace are subject to normal access control
> (and have always been). For example mount specific endpoints have
> always been available with the source credentials as well by default.
> And the buildm3u endpoint has always been accessible to anyone (as it
> is useless otherwise).
>
> Access to those endpoints can be controlled using the normal
> allow/deny-admin options, using "publicstats", and
"publicstats.json"
> as commands.
>
> Please also note that the different stats view are also subject to some
> content filtering logic. So you'll find that depending on which of the
> endpoints you access and depending on your used credentials you will
> have access to different data.
>
>
> For more details see:
> https://wiki.xiph.org/Icecast_Server/2.5_Authentication
>
>
> With best regards,
>
> --
> Philipp Schafft (CEO/Gesch?ftsf?hrer)
> Telephone: +49.3535 490 17 92
> Website: https://www.loewenfelsen.net/
> Follow us: https://www.linkedin.com/company/loewenfelsen/
> Gesch?ftsf?hrer/CEO: Philipp Schafft
>
> L?wenfelsen UG (haftungsbeschr?nkt) Registration number:
> Bickinger Stra?e 21 HRB 12308 CB
> 04916 Herzberg (Elster) VATIN/USt-ID:
> Germany DE305133015
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast
Good afternoon, On Sun, 2024-01-21 at 15:08 +0000, TDAS wrote:> Yeeek. That?s a lot of options :)It's a lot of possibilities! ;)> As someone who is pretty savvy but has only ever left Icecast > authentication at the defaults, are there any examples, as I need to > get it turned off pretty quickly.I'm not really sure here. That endpoint is meant to be public. Fiddling with it might break things. You could try something like this in the global <authentication> section: <role type="anonymous" match-admin="publicstats,publicstats.json" deny-all="*" /> However keep in mind that this does not affect any roles that might have been evaluated earlier.> Also, as there is no ?publicstats? in the admin dir, I?m guessing it > is aliased somewhere. [...]If you by 'alias' mean rendered, then it's "alias" is the status page of Icecast ("/status.xsl" normally aliased to "/").> ?but not sure if I should start messing around in ?c? files. I?m a js > guy ;)I would suggest not to break your update path by building a custom version. ;) With best regards,> > On 21 Jan 2024, at 11:03, Philipp Schafft > > <phschafft at de.loewenfelsen.net> wrote: > > > > Good morning, > > > > On Sun, 2024-01-21 at 10:39 +0000, TDAS wrote: > > > Can anyone tell me why /admin/publicstats is unprotected? And how > > > I > > > go about changing that!? > > > > > > I don?t understand why it would be accessible by anyone without > > > authenticating when it is under /admin/ ?? > > > > The endpoint is meant to be a replacement for /status-json.xsl > > which it > > deprecates. > > > > The admin/-namespace is basically everything that is not user > > provided. > > It might not be the best name, but it's called that for historical > > reasons?. > > > > Endpoints in the admin/-namespace are subject to normal access > > control > > (and have always been). For example mount specific endpoints have > > always been available with the source credentials as well by > > default. > > And the buildm3u endpoint has always been accessible to anyone (as > > it > > is useless otherwise). > > > > Access to those endpoints can be controlled using the normal > > allow/deny-admin options, using "publicstats", and > > "publicstats.json" > > as commands. > > > > Please also note that the different stats view are also subject to > > some > > content filtering logic. So you'll find that depending on which of > > the > > endpoints you access and depending on your used credentials you > > will > > have access to different data. > > > > > > For more details see: > > https://wiki.xiph.org/Icecast_Server/2.5_Authentication > >-- Philipp Schafft (CEO/Gesch?ftsf?hrer) Telephone:???????????+49.3535 490 17 92 Website:?????????????https://www.loewenfelsen.net/ Follow us:???????????https://www.linkedin.com/company/loewenfelsen/ Gesch?ftsf?hrer/CEO: Philipp Schafft L?wenfelsen UG (haftungsbeschr?nkt)?????Registration number: Bickinger Stra?e 21?????????????????????HRB 12308 CB 04916 Herzberg (Elster)?????????????????VATIN/USt-ID: Germany?????????????????????????????????DE305133015