Security

Admin mode

Due to this exploit Tunarr supports "admin mode". By default, admin mode is disabled. Some settings, like FFmpeg executable paths, can only be edited in the Tunarr UI when Tunarr is running in admin mode

There are several ways to update sensitive settings that require admin mode.

Running in admin mode

Standalone script

Pass the --admin flag when running the script, e.g.:

 ./tunarr.sh --admin

or on Windows:

.\tunarr.bat --admin

You can also use an environment variable:

TUNARR_SERVER_ADMIN_MODE=true ./tunarr.sh

and again on Windows (Powershell):

$Env:TUNARR_SERVER_ADMIN_MODE='true'
.\tunarr.bat

or Command Prompt:

set TUNARR_SERVER_ADMIN_MODE=true
.\tunarr.bat

Docker

Start Tunarr server with the admin argument

docker run ... chrisbenincasa/tunarr:latest -- /tunarr/bundle.js --admin

Note

chrisbenincasa/tunarr#900 tracks simplifying running commands against Tunarr within a container.

or with the environment variable

docker run -e 'TUNARR_SERVER_ADMIN_MODE=true' ... chrisbenincasa/tunarr

Updating sensitive values directly

Tunarr supports other run modes other than server. One is updating settings.json values directly. This can be done against a running Tunarr server without admin mode enabled.

./tunarr.sh settings update --settings.ffmpeg.ffmpegExecutablePath="FFMEPG_PATH" --settings.ffmpeg.ffprobeExecutablePath="FFPROBE_PATH"

This also works with Docker

docker run --rm \
  ...
  chrisbenincasa/tunarr -- /tunarr/bundle.js \
  settings update \
  settings.ffmpeg.ffmpegExecutablePath="FFMEPG_PATH" \
  settings.ffmpeg.ffprobeExecutablePath="FFPROBE_PATH"