OSX: Roon sending SMB passwords as clear text!

I had some problems where Roon suddenly couldn’t connect to my NAS (after been working perfectly fine for weeks).

Checking the running processes I found this:

/sbin/mount_smbfs -N -o nobrowse //magnus:MY_PASSWORD@nas.lan/media/Music%20-%20Modern/Magnus%20Music /Volumes/Roon-Magnus Music

So it turns out that Roon sends SMB passwords as clear text! Not very nice!

Is there no other way to do this?

More info according to: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/mount_smbfs.8.html

 -N      Do not ask for a password.  At run time, mount_smbfs reads the ~/Library/Preferences/nsmb.conf
         file for additional configuration parameters and a password.  If no password is found,
         mount_smbfs prompts for it.

On my computer the file ~/Library/Preferences/nsmb.conf doesn’t exist and perhaps could be created and used by Roon?

EDIT: Or even better use the OS X “Keychain” mechanism.

Yah, we’ll look into it… that said, this is hardly the security problem it seems, as if someone has access to your local mac, it’s probably as your own user, and therefore can take your password out of your processes in clear text as well.

2 Likes

Good point Danny! The only thing is that I normally never see any of my passwords on my Mac and was surprised to see one in clear text…

1 Like

Agreed, it is nasty.

We will get this resolved.

I agree with @danny that having the password appear in plaintext in the process list on your local mac is not much of a security risk. I expect that the mount_smbfs is safe about subsequently transmitting the password across the network.

It is really nasty that the password was appearing in error messages in the Roon log, and that has been remedied for our next release.

1 Like