Music Player Daemon Community Wiki

Music Player Daemon Security

525pages on
this wiki
Add New Page
Add New Page Talk0

Binding to address Edit

MPD is insecure by default: it binds to all IP addresses/interfaces on the host machine, typically allowing anyone who can reach you on the network to connect to MPD, manipulate MPD, list all your music files, etc. There are several options to making MPD more secure. One is to set "bind_to_address" option in the mpd config file (an example config file is provided with the MPD source and there is an example in the MPD man page). For example, to only allow connections for localhost host, set "bind_to_address" to "localhost". Another option is to enable password authentication. Please read the 'man mpd' page for more info on enabling password authentication, but note that passwords are sent in the clear over the network. And, of course, another route to securing MPD would be to use a firewall, iptables or ipchains.

Running as non-superuser Edit

Even though there are no known root exploits in running MPD as root, it's much more sane to run any daemon that does not require root access as a non-superuser. The "user" configuration parameter of MPD is the method to accomplish such a task (an example config file is included with the MPD source and an example is located in the MPD man page). Setting "user" will drop root priveleges and run MPD as the user specified (some might call this "setuid" support).

SSH Tunnel Edit

If you have login access to a machine running SSH, you can use a client to communicate to the daemon over an SSH tunnel which to forward local connections to a $MPD_PORT (6600) to the $MPD_PORT at $MPD_HOST.

You can setup your ssh tunnel with one command:

ssh -N -L6600: username@$MPD_HOST

Now point your local MPD client to your localhost and everything should work.

This way, your machine running MPD can even have bind_to_address set to "localhost". This works for other TCP/IP-enabled daemons, too and is not specific to MPD.

Also on Fandom

Random Wiki