Caution about Volumio

I have come across something about Volumio that I find truly mind boggling.

By default, the root (admin) user on Volumio is user="volumio", password="volumio".
@Woland provided instructions for how to change the password for better security.
https://www.superbestaudiofriends.o...treamer-configuration-tips.11017/#post-348786

TL;DR: Changing the password to anything else besides "volumio" can cause things to fail in Volumio

Here's my story. I decided to end my Spotify subscription (you can guess why and you'd probably be right, but that's for another discussion). Therefore I wanted to uninstall the Spotify and Spotify Connect plug-ins from Volumio. Uninstall failed for both plug-ins.



I used Volumio's convenient tool to get a log file.
https://volumio.github.io/docs/User_Manual/Sending_logs_for_troubleshooting.html
This is actually quite useful and it is used extensively in the Volumio community forums to debug issues.

In my log file, I found these lines:

Code:

Jan 30 09:49:48 pi2aes volumio[858]: info: Starting Uninstall of plugin music_service - spop
Jan 30 09:49:48 pi2aes volumio[858]: info: Uninstalling plugin spop
Jan 30 09:49:48 pi2aes volumio[858]: info: Disabling plugin spop
Jan 30 09:49:48 pi2aes volumio[858]: info: Checking if uninstall.sh is present
Jan 30 09:49:48 pi2aes volumio[858]: info: Executing uninstall.sh
Jan 30 09:49:48 pi2aes sudo[1244]: pam_unix(sudo:auth): authentication failure; logname= uid=1000 euid=0 tty= ruser=volumio rhost=  user=volumio
Jan 30 09:49:51 pi2aes sudo[1244]: pam_unix(sudo:auth): conversation failed
Jan 30 09:49:51 pi2aes sudo[1244]: pam_unix(sudo:auth): auth could not identify password for [volumio]
Jan 30 09:49:51 pi2aes sudo[1244]:  volumio : 1 incorrect password attempt ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/sh /data/plugins/music_service/spop/uninstall.sh
Jan 30 09:49:51 pi2aes volumio[858]: info: Uninstall script return the error Error: Command failed: echo volumio | sudo -S sh /data/plugins/music_service/spop/uninstall.sh > /tmp/installog
Jan 30 09:49:51 pi2aes volumio[858]: [sudo] password for volumio: Sorry, try again.
Jan 30 09:49:51 pi2aes volumio[858]: [sudo] password for volumio:
Jan 30 09:49:51 pi2aes volumio[858]: sudo: no password was provided
Jan 30 09:49:51 pi2aes volumio[858]: sudo: 1 incorrect password attempt

The uninstall code is using sudo to run a privileged command, which requires the root password. Apparently the uninstall code is hardcoded to provide "volumio" as the password. However I had changed the root password so the password failed and it cannot proceed with the uninstall.

I posted on the Volumio community forum about it, and it was confirmed:


So there you have it. Everywhere sudo is used in Volumio code, "volumio" is hardcoded as the password. I was flabbergasted. This is amateur hour software development. I can understand a quick hack for a personal project, but this is distributed to many thousands worldwide.

The funny thing is that I can't even change the password back to "volumio". The Linux system rejects it as a new password because it is too simple.

Next, I recalled that since upgrading to Volumio 3, I've been seeing a red warning box appear briefly on the screen right after bootup. I had been ignoring it because it was displayed only briefly and I thought it was something temporary. When I look at it more closely now and read the message, it is from the Music Services Shield plugin and it is also the password error. It is using the sudo command and supplying "volumio" as the password. The Music Services Shield plugin has been failing and not doing anything.

 

I don't use Volumio and I'm never likely to. I don't even have a raspberry pi. Occasionally wonder about them, but history says I won't get around to it.

None the less, your post is shocking. It's worse than amateur-hour: it's as bad as cheap IoT devices with admin/password setups. (Hello everyone: if you never have,do check your router, modem, ip cameras, etc etc)

 

The late lamented Dennis Ritchie would be sad that his invention was so overlooked.

 

That explains a few things I've come across. Luckily they aren't showstoppers in my case but good to know regardless.

 

At least the Volumio in my minidsp is locked down, otoh i don't even have access...

 

I learned that if you go into superuser mode first, you can change the password back to "volumio" (it won't check for simple password). Run these two commands to update the password for user volumio. Enter your current password to enter superuser mode, then enter "volumio" as the new password.

Code:

sudo -s
passwd volumio

Anyway, if your Volumio system seems to be running hot, it might be doing crypto mining