Hi. I observed that my LibreElec device (latest version) was visible on my windows PC so i started to fool around the folders just to learn about its structure...
I rapidly noticed that in /Userdata/passwords.xml, the credentials to my NAS are saved in clear (!)
This is not good, even if documented... really not good 
Don't make LE visible to your network. This is no different than any Kodi installation if you have access to the filesystem you can access passwords.xml so not LE specific.
@emvee I believe PhilippeB is talking about Samba shares /Userdata which is indeed readable by guest accounts when he tells about folders. By "folder" he is not talking about filesystem access but network share access (which have the same icon as any other folder in the file explorer thus I guess him not telling one from the other).
I see no passwords in this file here, but maybe I saved none.
Or do you mean no one should have access to port 445 on the libreelec box ?
Nothing was breached. LE intentionally ships with Samba enabled to mitigate support issues with typically low/no Linux skilled users and the default shares expose /storage/.kodi/userdata where Kodi subsequently stores passwords in cleartext. You can either disable Samba in the LE settings add-on (as you didn't choose to disable it when prompted during the first-run wizard) or you can configure a credential so there is no open access to the Samba shares.
NB: I'll take an action to formally document our insecurities in the wiki alongside installation instructions. They are widely discussed in the forum for anyone searching for info, but not the wiki.
If Samba is running (and it is by default) the service is advertised using mDNS via Avahi which helps Linux/macOS devices see the shares, and we also have WSDD2 which broadcasts in the modern format used by Windows.
If you don't need Samba shares turn the service off (10 seconds effort). If you do, configure a user/password credential (30 seconds).
If Samba is running (and it is by default) the service is advertised using mDNS via Avahi which helps Linux/macOS devices see the shares, and we also have WSDD2 which broadcasts in the modern format used by Windows.
If you don't need Samba shares turn the service off (10 seconds effort). If you do, configure a user/password credential (30 seconds).
The docs should give at least some hints about the mechanics of who does what in the background, in order for a KODI / LE box showing up in the network neighbourhood list (in windows explorer).
Disabling services should also have some hints, what will stop working (either directly, or indirectly due to some less-than-obvious service dependency).
Stopping a service indeed takes only 10sec. Beeing concerned (polite way of saying extremely frustrated due to I dont kbow what I am doing & no help at hand) what that disable activity may (translation: surely will) break, is on the other hand a real thing in the kodi / LE ecosystem.
I created https://wiki.libreelec.tv/installation/security in the install section so it's more visible. This is public documentation that can be added-to by anyone who cares enough to make the effort.
I created https://wiki.libreelec.tv/installation/security in the install section so it's more visible. This is public documentation that can be added-to by anyone who cares enough to make the effort.
Much appreciated, its a good starting point. I would love to add all my concern into this section, but actually I am the one who needs to learn how LE is built around Kodi first. So, maybe in 2-3 years time. Kodi and LE is too steep for me (I am experienced in IT quite well, 20+ yrs, but not into Linux & ARM unfortunately)
I almost forgot: maybe it should be an entirely separate thread, let me know
Separating SMB into server and client section. What I mean is, to put that extra "SMB (client)" and "SMB (server)" designation into the menu items. Not only in the security section of the docs, but int the entire Kodi UI as well. I dont want to admit, how much time I was messing with the various SMB settings in the many (are there more than 2 places? honestly I dont remember) different locations of LE. Before I finally realised the reason I dont see any difference after changes is that I was in the wrong place. I was making changes to the SMB server settings, when I wanted to modify the SMB client settings.
I put a note in the wiki article about Samba server and Kodi SMB client being separate things. Other than that I wouldn't document the client from a security perspective as this is making outbound connections (not receiving inbound) so it's not contributing to the attack-surface of an installation.
LE is loosly based on https://www.linuxfromscratch.org/ principles if you want to read up. Brace yourself for an exciting read 
Hi guys. Thank you for your answers chewitt
Some updates:
I realize that LibreElec is the outside "Shell" and Kodi is the app doing the thing, so I should have posted my concerns to a Kodi forum instead, sorry about that. Then maybe Kodi is not the faulty one, maybe it's Samba.
At this point, we are getting philosophical about it.
I confirm that I was not looking at the right unit (I have two) and the faulty one had both avahi and samba enabled. That is now off.
**However**
Kodi still is using SAMBA mounts to access my NAS where my media files are located right ?
So let's not confuse "Accessing Kodi" through SAMBA from my laptop, and "Accessing my NAS from KODI" (which will continue to happen even with SAMBA off, this has nothing to do with mounts).
Credentials are still being stored in clear, and anybody can 'get' to these credentials by many means.
For example, you can see them by simply using KODI UI (Gear) -> File Manager -> passwords.xml (or mediasources.xml).
Now any friend's kid in visit to my home can get access to my NAS by simply playing with my TV remote control, which gives me the creeps. The fact that libreElec that is using Kodi that is using SAMBA punches a hole in my network security.
Credentials should NEVER (ever) be stored in clear. A breach is a breach, who ever is responsible should at least look into it I think. Documenting the fact that it exists doesn't protects the less skilled users.
- A 33 year experienced embedded developer specialized in Linux/openWRT and on the cyber security comitee, aka "low/no Linux skilled user" 
1. Is your smb mount read only?
If not, that visiting kid can delete all your media through kodi's file manager.
2. Is your smb mount only providing media access?
If not, that visiting kid can access all the other sensitive stuff on your nas via the file manager.
Those have nothing to do with how the credentials are stored.
If your answer is yes to both, then the credentials potentially being read would be not that big of a deal as that kid can already access all the contents through the file manager.
The only issue I can see is if you reuse the same credentials so the kid being able to see the credentials causes other issues. But that's also a no no. Never use the same credentials for different things.
All in all, I don't really see a significant security issue here. Whoever can see the credentials don't really need the credentials because they can already access those things.
I believe you can protect the kodi interface with a pin (not 100% sure) but in any case, whoever you trust with access to your libreelec box, you're already trusting with access to the media on smb. Make sure it's read only to be safe.
I would like to say yes and yes, but i will answer no and yes.
kodi needs write access to 'export media DB' in multiple files where the files are stored where the media lives.
Exporting in multiple files is the only way i found to keep the .nfo files that say what media you listened and what you did not, which is kinda usefull if you have a large DB and migrating to a new hardware. (Sorry for being off topic, just wanted to give a thourough answer) but you are right, kid could delete
Why are you sharing all the documents on the NAS with one username and password if you are so worried about visitors? Limit the source to the media that they can view with the remote.
With physical access to the LibreElec file system the encryption is useless because you could just install a version of Kodi to log the user name and password, or copy the file and decrypt it elsewhere.
SMB services are on by default to facilitate log collection in the event the users device doesn't successfully boot to the Kodi home screen. This is considered low risk because on first boot there are no sources configured and thus no cleartext passwords being stored and exposed anywhere. After the user adds SMB/NFS sources and add-ons that store credentials (and Kodi or the add-on stores them in cleartext) the risk profile of the installation has changed.
I think the most sensible option is to make Samba shares configurable through the LE settings add-on. Samba can then be started by default and with the logfile share defined and default enabled. Then if users want to enable other pre-defined (but default disabled) share locations they need to visit Samba settings to toggle the state. This will ensure the Kodi userdata folder is not default exposed, thus mitigating the risk of exposure from plaintext stored credentials. The logic of that is a good balance between security and usability and I'll be happy to accept your changes to add that capability to the add-on.
NB: If you want to also address Kodi storing credentials in plaintext, send code changes to upstream Kodi. The solution to this needs to be simple and work for all currently supported Kodi OS platforms and other distros, not just for Linux on LE.
