What did I miss during setup on my mac (Channels DVR host)? The setup/web UI is available on port 8089 on both localhost and on the LAN interface. It doesn't require any login that I can tell. (using an incognito window or a private browsing window, I have full access.)
Is there something I missed about how to protect the settings from unauthorized changes?
LAN is assumed to be a trusted environment. There is no authentication in place. A similar model is used by the HDHomeRun.
Hmm, well I don't particularly trust the kids, but seeing as the HDHomeRun tuner has the same possibility for mischief, I guess the horse is already out of the barn.
Mostly I was hoping for some separation of the browser-based playback client from the rest of the UI, for those platforms that don't have a native app (desktop computers that can't run iPad apps, for example)
I have to agree. There should be an option for protecting the system settings. I have asked for this option a few times and so has others. It does seems silly not to have it if you have setup the system the way you want it and don’t want your kids or anyone else messing with it. Everyone knows that a local LAN is not really 100% trusted when you have family and friends using it.
Saying that there is no option for the HDHomeRun… well, that is true but the only thing you can do is retune the channels and upgrade the firmware 
Nothing to break compared to a system where you put a lot or work getting it the way you want it.
If someone messes with my settings, the only option we have is to restore from backup which again people can mess with as it’s not locked down.
It's not like it's a Router, NAS or PC.
I agree that maybe something like a Parental Settings PIN should be used to access Admin functions.
But if people you don't trust have access to your PC, LAN &/or WiFi, that won't help you.
Every DVR I use other than Channels DVR/HdHomeRun requires a user and password to access settings on their webserver even on the local Lan.
EMBY
NextPVR
SageTV
With my security hat on:
Security is like an onion: secure each layer and never assume anything is trusted.
Personally:
Most home server stuff I’ve used is secured by a username/password. But also…I’ve got bigger things to worry about securing and I kinda like accessing Channels server from different devices without having to enter credentials. Everyone’s situation is different though.
I work in network security as well. Essentially what they are doing is what other vendors of home type network equipment do. They exclude auth for 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Would I have this device in a business production type environment? No way.
But it's home consumer equipment, not a big deal honestly.
Again… people are still asking for it. It seems pointless having settings and parental control when you are unable to protect them! What is the point having the options when we can’t lock them down?
A good example… you setup Channels for a device that your kids uses but they want to access a channel that is not appropriate for them. All they need to do is go to the web interface and make the changes. Kids are not stupid and will do anything to try access the system.
Would you setup a router and not change the default password? No! Would you setup web filtering for your family and not have a password to protect the admin section? No!
Yes, it should be an option for thoughts that wants it. It’s common sense.
If you can’t trust them to stay out of things they shouldn’t be in, why in the world are you giving them a device that has a web browser? Channels settings should be the least of your worries. If you can’t trust your friends not to change settings, they shouldn’t have your WiFi password. This is silly.
Kids, teenager all have devices that has a web browser. Phones, tablets ect…
Nothing is silly when it comes to locking down settings…
Somewhat surprising to see people taking such extreme positions on this.
Like I said above, everyone’s situation is different and though I work in security, I don’t have kids or anyone else that can access my home network. And tbh, if that changed…there are l probably quite a few more things I’d want to lock down further from prying eyes before I got to Channels.
It’s not at all an unreasonable request. It’s also not completely insane or outrageous that the devs aren’t making it a huge priority. That’s just my .02
Seeing that you work in security… here’s a question for you. Would you enable SSH on any of your network devices without having a password leaving a huge loop hole?
Also, with the Raspberry Pi image… why is there a SSH button right on the main page that allows anyone free access to the entire computer? Again, there should be an option to lock it down. Why would I want a full blown computer on my home LAN with an option to allow anyone in my family to SSH into it and do what ever they want?
Hey I’m relatively neutral. I’m not making the argument that it’s secure.
Let’s put it this way: given the opportunity to vote yes or no, I’d vote yes. But I’d likely not be out campaigning, putting signs in yards or trying to get my friends and neighbors to vote yes.
Putting it yet another way: If i made a list of 10 things that I would like the devs to improve this likely wouldn’t make my list. I also wouldn’t react in a negative way to seeing it on someone else’s list. Speaking of which, they actually did ask us to voice what we wanted to see in 2023. Maybe you added your suggestion there. I’ll be honest: that thread was already too long by the time I saw it so I didn’t add any suggestions or read through it entirely.
It’s totally ok that you feel differently. You don’t need to explain why.
I would not mind a login for the webui. Was kinda wondering why it does not have one.
So many of the things i have on my LAN do have a login, NextCloud, qBitorrent, HomeBridge, Ubiquiti Unifi, my ER router, etc... the only things that do not have any form of login to their webUI is the HDHR and the 2x RPi's CHDVR servers.
From a security standpoint, yes, I agree, should someone gain access to your network, having a secure login to a local LAN devices webGUI would be desired and may prevent, or slow down, their ability to mess with that specific device.
To prevent unwanted access to these devices WebUi, as it stands, since CHDVR devs can not do anything about the HDHR webGUI, the only true option if for you to have your network segregated in some fashion. This can be accomplished in multiple ways. VLANS, having the HDHR, server, and main client devices on their own VLAN, and other traffic on another. Separate DHCP server/subnet can also accomplish this. You can also setup ACL's and block acces to the server, from specific devices, specifying the webgui port. This functions require a more advanced router and basic knowledge of networking. The average person however, could try putting their kids or other users on Guest wifi/network, can be set with restrictions to accessing other devices.
True, but the problem is that not many people will know how to do this or even have a decent router that allow them to do it. Most ISPs provide a basic locked down router so creating VLANs and even a guest network might not even be an option. I have also seen routers that won’t even allow you to do port forwarding too.
Or we need is a simple button to press to lock down the settings with a password. That’s more easy to have than having to try and creat VLANs.
I don’t understand why the devs won’t add this as a simple option? At the end of the day we are paying for this software.
Paying for something has NOTHING to do with the users entitlement ego or opinions on new features or overall development.
I paid for a Sports car that can go 180mph. I also pay for all the taxes and fees involved in owning and using the vehicle in my city. My tax dollars pay for the Road Maintenance.
Does that give me the right or say to drive that speed on the highway, just because I paid money, no, it does not.
This is someone else's playground, and you have to follow the rules.
And, pro tip, using the "because I paid for this and thus want it to work my way" argument, is not at all a very encouraging or positive way to convince a developer to take your, comments, seriously.
(and, like it has already been said, "Most people" (that are not the person who setup the server) won't even be able to figure out the exact URL to use to access the Admin GUI. If said average person somehow does, they would be like, wtf is this, and close out of it. Secondly, many users do use the Admin WebGUI as a "Client" to stream content. They may not want a password on it. Though, should the devs implement such a thing, it for sure would make sense that it be optional.)
If the main scenario here is to stop "kids" from accessing the Admin UI, then, one should just make use of the already existing Parental Controls that exist on nearly all devices and routers.
Nearly all ISP routers these days have fancy, but easy to use smartphone apps to setup the thing. Xfinty sure has a niece setup for that. With full controls to filter or block Internet access for certain devices. Even cheapo $20 off the shelf routers have such Parental Controls.
Once can also set Kids user accounts on computers, or tablets/phones, and use isolated Guest accounts/wifi for visitors.
These practices should already be in place by parents if they care about monitoring their kids online activities. And ISPs and cable companies want to make that super easy for you to do, and advertise their features that do that alot.
Or.... If your child messes with it do this. Put child over your knee, raise hand high in the air. With an open hand, apply quick pressure to subjects rear end. Repeat this process until your point has sunk in good enough and they have no more desire to mess with anything you tell them not to.