this post was submitted on 05 Jul 2026
32 points (83.3% liked)

Selfhosted

60482 readers
520 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

  8. AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

I'm a software developer working in the telecam sector on security related products, so I know a fair bit about system security. Yet I wound secure my own system far less than most people here if I didn't enjoy cybersecurity as a hobby.

I wonder what you are securing against? Some examples:

  • jellyfin: unless you have home videos on there, what does it matter if someone exfiltrates some movies? Surely you have basic DOS protection and/or region locking to reduce wasted network traffic, right?
  • linux: I assume nobody is using their servers as daily drive PCs, so what does it matter if somehow your system is superficially compromised. You can always reimage. Sure they could mine some bitcoin with your system, but it doesn't have that much PSU headroom to cost you much on your bills, right?

It just seems like most attack vectors lead to mild annoyance at most for most systems.

Do you guys just enjoy cybersecurity? Do you actually keep sensitive data on your self hosted systems? Do you self-host on expensive hardware? What am I missing?

you are viewing a single comment's thread
view the rest of the comments
[–] Morgikan@fedia.io 19 points 1 day ago (1 children)

My biggest concern is pivoting. Specific to Jellyfin, many users are using docker, but do not isolate the user so the daemon is operating as root. With that setup, an attacker could mount the host filesystem to the container and would own the host from that container.

Again, for the linux mention, the answer is pivoting. Many machines use Tailscale. If one of those machines were to be compromised using Tailscale's default ACL, they would be able to move laterally through the network without issue. At that point, it would be possible to modify existing nodes (ex. subnet routers, exit nodes, etc) or even add additional rogue nodes.

The question of why people care is tricky. Why should you care if your networked printer is using out of date firmware? It likely isn't storing personal information, right? It's a prime target because it's easy, poorly monitored, and opens another door. A lot of infosec is just keeping doors shut so other doors don't get opened.

[–] hirihit640@sh.itjust.works 4 points 1 day ago (1 children)

With that setup, an attacker could mount the host filesystem to the container and would own the host from that container.

Can you elaborate more on this? Assuming an attacker is in the Jellyfin container with full remote code execution, how could they mount the host filesystem?

[–] Morgikan@fedia.io 3 points 1 day ago (1 children)

It would depend on having access to misconfigured permissions or docker.sock like when you chain containers to manage other containers. Because you have access to docker.sock and that socket can send API calls to the docker daemon (which is run from root) those commands would inherit the same level of access. An attacker could make the API call to mount /:/root and then access the host filesystem.

It's just an example of how even though the container might not have anything worthwhile, it can be used to laterally move and open another door.

[–] hirihit640@sh.itjust.works 4 points 1 day ago (1 children)

Got it. Access to docker.sock is definitely something to be wary of, or CAP_ADMIN, or access to certain host devices.

Worth mentioning though that Jellyfin usually has none of these.

[–] erev@lemmy.world 2 points 1 day ago

Also worth mentioning that Linux recently has had two massive privilege escalation vulnerabilities that bypass system namespacing and thus also provide container escapes.