Security Issue Using Volumio?

I noticed something strange with Volumio. I grab my audio files from my nas and stream over the network. To connect to the nas, I created a Samba share that is password protected that Volumio signs into.

Here’s the strange part. When volumio is seen on the windows network, it has a storage share. When i look into the storage share, i see the nas drives and i don’t need to authenticate. Basically a backdoor to get to the files on the nas. Has anyone seen this same behaviour?

Volumio shares all attached storage using samba. So yea there is a chance that it re-shares your NAS.
I don’t have a NAS so never tried it, but disabling the NAS re-share shoudn’t be to hard if you know your way around the command line.

Is it disabling the re-share on the nas or on volumio? I have a comfort level using the command line. What are the commands?

Sent from my SM-T230NU using Tapatalk

In Volumio ease it at the top and security is at the bottom of the list of priorities. Well, if it there at all.
I mean, not even the standard password for user pi has been changed.

If you need some more security you have to do it yourself.

For example, start making a new restricted user on the NAS and to assign it only read privileges, and only in the folders where you keep music. Nothing more. This way at most it can show what is almost public, and still no write permission.