Is there an existing issue for this?

• I have searched the existing issues

Is your issue described in the documentation?

• I have read the documentation

Is your issue present in the nightly release?

• This issue is present in the nightly release

Describe the Bug

You are able to reset the Sunshine credentials without elevated rights, which could allow systems that have been already compromised with user level privileges to getting full remote access and capability to pair new clients with the default settings of Sunshine.

This is mostly caused by the fact that the config directory is giving users modify and read access, which prevents the need for having administrator privileges.

Expected Behavior

When resetting credentials, if the current user is not running Sunshine in an elevated context, it should reject the request telling them to run it again with administrator level privileges.

Additional Context

Workaround is to go in advanced settings and configure a different location for the credentials, which you can then add deny permissions to users.

It is considered a low security risk as it already requires the users machine to be compromised in some way. However, if users are doing something stupid, like sharing the sunshine directory via SMB to everyone on the local network you could exploit resetting the credentials by editing the app.json file to execute the password reset commands when user starts a stream.

Host Operating System

Docker

Operating System Version

Windows 11

Architecture

32 bit

Sunshine commit or version

0.18.0

Package

Windows - installer

GPU Type

Nvidia

GPU Model

N/A

GPU Driver/Mesa Version

N/A

Capture Method (Linux Only)

No response

Config

N/A

Apps

No response

Relevant log output

N/A