Posted by trig on February 9, 2017

Mick M wrote to us about a problem connecting his Mac to Squeezebox Server running on a QNAP NAS. We don't quite know what the problem was yet, but it prompted us to flag a few pieces of information about using a NAS as a Squeezebox server that we haven't published before.

The original version of LMS on QNAP, which was supported by QNAP, required an additional piece of software called SSOTS (Squeezebox Server on Turbostation). However SSOTS was found to be insecure and vulnerable to "Shellshock". QNAP stopped supporting SSOTS/LMS in 2015 and as far as we know a new version of SSOTS that is secure has not yet been produced. So ...

  • ... if you are running SSOTS/LMS on an old NAS (pre 2015) using an original QNAP NAS operating system, chances are it is insecure, and it may or may not work properly.
  • If you are running LMS on a newer NAS with SSOTS + LMS it’s likely to be insecure AND not work properly. 
  • As far as we know the only effective way to ensure LMS runs well on a QNAP NAS without any security holes, is to set up some kind of Container that isolates LMS from the rest of the NAS environment while still providing read-only access to music files stored outside the Container. 
  • Another option is to use the NAS only to hold the files and to run the server software on another machine (cheap and cheerful and effective, like a Raspberry Pi) that accesses the music files on the NAS.

We understand that the same problem exists for other NAS boxes too, not just QNAP. The only NAS for which a customized version of Squeezebox server currently is the Netgear NAS. 

