Muse Hub runs with excessive permissions on Linux
To get access to Muse Sounds one has to install the muse-hub application. Unfortunately there are major problems with that:
- Installing the applications installs a muse-hub system service which is constantly running, even when Musescore is not in use
- The service runs with way excessive permissions. Uid 0 (root) and seemingly no protections for abuse
- The service opens TCP and UDP ports on all IPv4 and IPv6 interfaces
This is very bad for security and quite questionable for privacy.
Is there any reason this service is not started on demand and running with user privileges?
If any extra permissions are needed (I doubt it), were proper means to mitigate risks considered (dropping root privileges ASAP, confinement to private directories, etc.)?
After installing Muse Sounds pack needed stop and disable the rogue service:
systemctl stop muse-hub.service systemctl disable muse-hub.service