delacroix 1 Posted April 5, 2025 Posted April 5, 2025 I have seen may people asking about how to remove the password reset button as there could be some security risk or abuse of the function if you are sharing your serve online. There are multiple solutions floating around such as using custom code to hide the button from the logging screen, however that solution only works for the webapp, if you try to do it from any of the apps, you can still trigger a password reset. Here is the solution that I've found that works best: 1- Trigger a password reset so the server creates the passwordreset.txt 2- go to the server, find the file and make it immutable. If you are using Linux, then it is as easy as running the following command: sudo chattr +i passwordreset.txt 3- If you try to trigger a password reset again, the functionality won't work at all, you won't even get the message that file was created or updated as Emby cannot modify the file, even if running as root. If you ever need to active the password reset functionality again, just remove the immutability of the file by running the following command : sudo chattr -i passwordreset.txt I guess this should also work in Windows and other system, however I have only tried in Linux running Emby as a Docker container. Cheers.
Luke 42077 Posted April 5, 2025 Posted April 5, 2025 Hi, how would anyone trigger a password reset without file system access to the server? The only thing they can actually do is start the process, which by itself doesn't do anything.
delacroix 1 Posted April 5, 2025 Author Posted April 5, 2025 You are right, you cannot complete the password reset process without access to the system, but the fact that you can initiate the process externally and there is not way to disable has raised the question many times. The fact that the system shows a message that a file has been created for the process gives the impression that you can consume resources from the system by triggering file generation, even though we know it only overrides the existing file. Again, I'm not saying that it is a security risk in itself, but you can see that the question has come up many times here and on Reddit as well. The workaround that I proposed it meant to give people some peace of mind in case they want to disable the option altogether and enable it if needed, that's all.
Luke 42077 Posted April 5, 2025 Posted April 5, 2025 I guess the issue is that if you disable it then you could end up locking yourself out of your own server.
delacroix 1 Posted April 5, 2025 Author Posted April 5, 2025 I mean you need access to the server in order to complete the reset process anyways, so you only need to remove the immutability of the file by running the command again. So the risk of locking yourself out is the same as having the functionality activated. So the steps would be: 1-remove immutability by running: sudo chattr -i passwordreset.txt 2- Trigger a reset through the UI 3- Access the file and complete the process The only difference here is step one.
Luke 42077 Posted April 5, 2025 Posted April 5, 2025 How would you trigger a reset in the UI if you've disabled the feature altogether?
delacroix 1 Posted April 5, 2025 Author Posted April 5, 2025 Okay, let's step back a little here. Normally when you hit the forgot password option, you get a message saying" A file was created in the server /config/passwordreset.txt, then you can go to that file and complete the process following the instructions, including the pin that's generated within the file every time you click the function in the UI... Now, if you make the file passwordreset.txt immutable, meaning that the file cannot be changed or updated until the immutable attribute is removed. Then when you click the UI to perform a password reset you get no messages or feedback from the system because the functionality is now "Broken" as a result of the file immutability. As soon as you remove the immutability attribute, the function will work as intended, you don't even have to reset Emby or anything, just remove or add immutability to the passwordreset.txt as needed.
Luke 42077 Posted April 5, 2025 Posted April 5, 2025 23 minutes ago, delacroix said: Okay, let's step back a little here. Normally when you hit the forgot password option, you get a message saying" A file was created in the server /config/passwordreset.txt, then you can go to that file and complete the process following the instructions, including the pin that's generated within the file every time you click the function in the UI... Now, if you make the file passwordreset.txt immutable, meaning that the file cannot be changed or updated until the immutable attribute is removed. Then when you click the UI to perform a password reset you get no messages or feedback from the system because the functionality is now "Broken" as a result of the file immutability. As soon as you remove the immutability attribute, the function will work as intended, you don't even have to reset Emby or anything, just remove or add immutability to the passwordreset.txt as needed. Right OK. That's a fine workaround that you can apply on your own system, but for us to put an option in our UI it would have to be a bit more obvious/user friendly than that. Ideas are obviously welcome.
delacroix 1 Posted April 6, 2025 Author Posted April 6, 2025 Yeah, the workaround that I described is not for everybody but most people that are running Linux and exposing their server externally could do it without too much hassle. The ideal way to fix it for everybody or at least to add some additional controls would be to limit the functionality to private IP addresses only. For example when you click password reset, Emby could validate if your IP is within these ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. If you are not coming from one of those ranges, then you would get a message "Try again within your Local Network" or something around those lines. A solution like that would keep the functionality as it is and prevent someone from triggering the password reset file generation externally.
Luke 42077 Posted April 6, 2025 Posted April 6, 2025 Quote The ideal way to fix it for everybody or at least to add some additional controls would be to limit the functionality to private IP addresses only. For example when you click password reset, Emby could validate if your IP is within these ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The issue with this is cloud hosted servers where there is no local network access. That's why it is always available. The only difference is that when you're not in a private ip range, it will not expose the full path to the file. It will just show the file name and you'll have to be able to locate the server data folder on your own. So yes, it's trying to accommodate everyone and there are ways in which it could be better.
delacroix 1 Posted April 6, 2025 Author Posted April 6, 2025 I understand and that could be a problem if there's no way to access the server from the local network. The solution to that is to keep the functionality open by default and then add an option to enable "Local password reset only" or something like that. That would allow people to harden their servers, but also think about the possibility of getting lockout if no local access is possible. 1
Luke 42077 Posted April 19, 2025 Posted April 19, 2025 Yes that makes sense. Thanks for the feedback.
volkmarg 0 Posted Monday at 09:52 PM Posted Monday at 09:52 PM @delacroixThanks for sharing your workaround. @LukeI have been looking for modifying the lost password behaviour, because the default behavour of emby theatre seems to be to launch a system web browser to display the "Help" page of the password reset screen. On my system, I am running emby theatre in a kiosk mode, which does not usually allow to start other applications, in particular no internet browsing applications. Having a way to start a web browser without even logging into the emby server obviously isn't exactly what I want.
Luke 42077 Posted Tuesday at 01:00 AM Posted Tuesday at 01:00 AM 3 hours ago, volkmarg said: @delacroixThanks for sharing your workaround. @LukeI have been looking for modifying the lost password behaviour, because the default behavour of emby theatre seems to be to launch a system web browser to display the "Help" page of the password reset screen. On my system, I am running emby theatre in a kiosk mode, which does not usually allow to start other applications, in particular no internet browsing applications. Having a way to start a web browser without even logging into the emby server obviously isn't exactly what I want. Right it’s just a help page to help explain the process. You don’t need to click it. You can do it all by following the on screen instructions. Does that help?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now