ROCK on NUC - Network file sharing a security risk?

I dont think so, it allows outgoing connections to SMB shares to send empty password. But I agree it is not ideal for sure. That is why I use my NAS mount method, to prevent it being necessary at all.

EDIT: Also I am 99% sure SMB1 enables this setting by default which is probably why it makes things work when it is installed!

EDIT: Yes it does, from the link I posted above

1 Like

It also means unencrypted transfers and possibly other side effects. I don’t know how ROCK works, but you should be able to set security on its shares.

You cant unfortunately. Perhaps this would be a better thing to implement in Roon OS 2.0 ??

So I had simply assumed if someone went on a rant that SMB1 is the only supported protocol and how bad that is, that this would actually be the case, but your insightful post made me check. This is my MacBook having mounted the ROCK share, by default settings:

mario@chronic ~ % mount
/dev/disk3s1s1 on / (apfs, sealed, local, read-only, journaled)
[…]
//GUEST:@rock/Data on /Volumes/Data (smbfs, nodev, nosuid, noowners, mounted by mario)
mario@chronic ~ % ls /Volumes/Data
Codecs RAATServer Reinstall RoonOS Storage
MachineSettings README.txt RoonGoer RoonServer
mario@chronic ~ % smbutil statshares -m /Volumes/Data/|grep VERSION|awk ‘{print $2}’

SMB_2.002
mario@chronic ~ %

I apologize for not having checked before arguing myself.

1 Like

Thinking of it my QNAP has smb1 disabled
And connects ok, my windows 11 does and smb 1 isn’t enabled. Yet on my Ubuntu I can only connect via smb1, tried every other way and it would not mount. So perhaps there is some compatibility issues ?

Indeed, it would appear that Roon OS is already using SMB v3.

My Windows 11 PC does not have SMB v1 enabled, but uses SMB v3, and is able to see (and write to) Roon OS file shares with no problem…

Roon 2191

image

Addendum: and I don’t have the parameter AllowInsecureGuestAuth in the registry at all. I use Windows Local Accounts, and have secure access to fileshares on my Windows PC.

2 Likes

I guess it’s the insecure guest auth? If that is enabled then SMB 1 is not required. But if you enabled SMB1 then insecure guest auth is enabled by default.

Ubuntu runs Samba, Rock runs Samba, seems very unlikely that it’s that.

I think it’s whether or not the SMB or samba service also supports the insecure guest auth.

My NAS (Synology) is not using SMB1 but will still connect to ROCK, so it must therefore implement insecure guest. But if it didn’t it would not work at all.

1 Like

Version conflict was what I mean. I can mount via the Ubuntu desktop no issues. But setting it to mount auto via fstab it would not do it without being set it use smb1.

Makes sense, I have had apps on my phone that won’t connect to it and some that do. So I think your right that it’s down to it not having a none guest username and some support that others don’t.

Coming to think of it, I ran Ubuntu until December, how quickly we forget. :rofl: I only ever mounted ROCK in the Nautilus file manager and it connected fine. Ubuntu should try the highest version possible, but I never checked the version and no idea what it negotiated eventually. Now I have Ubuntu in a Parallels VM on the Mac and I tried now, but from within the VM the ROCK gets mounted via prl_fs (Parallels FS), so samba does not get actually involved and so there is no version to check.

2 Likes

Given the take up of windows 11 that leaves a looong window of availability for home users. I’m still on 10 as I dont have a TPM chip.

Also most people don’t run roon on their work kit.
None of my work laptops from a proper enterprise class environment would let me install it never mind allow the connectivity.

1 Like

Hot off the press … it’s been demonstrated that Roon OS is not dependent on SMB1 … but Insecure Guest Authentication still needs to be enabled.

1 Like

Er, @Carl - I don’t have this parameter in my Windows 11 PC at all, I’m using SMB v3 and access my ROCK/NUC without a problem…

the parameter AllowInsecureGuestAuth in the registry

I had to add this on a modern Windows Server OS (2022), not on Windows 10/11

I use a combination of NUC10i5 with Roon 1.8 Legacy with Synology NAS. I just checked that the SMB was configured with maximum SMB3 dan minimum SMB2. I have not tried setting the minimum to SMB3 (i.e. forcing it to run SMB3 exclusively). But it runs fine. So I guess at the minimum ROON supports SMB2.

This is what “smbutil statshares -a” shows on a Mac when connecting to ROCK

SMB 2.002 is used for connections to ROCK. So no “SMB 1 only”, as has been pointed out before by other people already. SMB 3 would be nice to have in the future though.

The real security risk is definitely the guest access. More security using proper login credentials to ROCK (both Web interface and SMB access) has been on the wishlist for RoonOS 2.0 for a long time and should definitely be delivered by ROON to meet reasonable security standards.
Accompanied by an (default) option, to not use login credentials, the choice is with the user and everybody will be happy.

2 Likes

EDIT: I misinterpreted your post. Obviously you’re running ROCK on an NUC and accessing music files on the NAS via Roon. Obviously outgoing SMB connections from RoonOS using SMB2 and higher work including user credentials. Otherwise Roon couldn’t access those storage locations and would be quite useless.

The whole discussion circulates on having music files on the NUC and accessing the shares provided by RoonOS via SMB to upload/modify the music files from a PC/MAC, which is realized via guest access, giving full access without providing any user credentials.


Roon on a NAS and Roon on RoonOS (=ROCK) are not the same thing.

The SMB protocol stack is provided by the operating system (in your Case DSM by Synology) and is independent of the Roon Server application.

So SMB security for Roon on NAS is not an issue, you can configure SMB 3 in DSM and set user access rights to your needs.

The same thing is not possible in RoonOS since the user has no access to the relevant settings of the SMB protocol stack via the RoonOS Web Interface.

I bet, if root access to RoonOS was possible, it would be just a matter of minutes to configure user credentials via the command line. The effort that needs to be made lies in adding these settings to the Web Interface so they can be configured by the user in a comfortable fashion.
However this is no rocket sience, so I’m wondering why roon still haven’t done it.

I assume they believe most if not all users are on a trusted network in their home where this being locked down isn’t essential. They have made it a simple device most likely for Nucleus users which is aimed at the I don’t want to meddle with tech. Turn it on it works brigade. Personally I don’t see the urgency for it to have separate user and password login for administration. In the 15 years of using network streaming servers I have not had one locked down and not had one issue.

I struggle to see why members of your family or friends visiting would even attempt to log into Rock or your storage do they even know how to? Or if it exists. They need to know ip to start with or it’s network name. Not exactly easy for the uninitiated and if you can’t trust your family or friends then there a bigger issues at hands than this.

If someone’s broken into your network then I think worrying about Roon is the least of your worries and I think they would have bigger fish to fry then mess with a music server.

3 Likes