Skip to content

Security

This page collects security considerations related to Immich Distribution. Remember that the upstream Immich project is still in early and active development, so please calibrate your expectations accordingly.

Network Services

Immich is built as several discrete services communicating with each other over HTTP. Upstream Immich assumes all its processes run within a private network (typically inside Docker). This is not the case for this Snap package; while it's contained within a sandbox, the network is shared with the host system.

Important information if the OS is shared

If this system is shared with other untrusted users or processes, consider deploying Immich Distribution inside a private network namespace, container, or virtual machine. It's possible for local users or processes to trigger unwanted API calls, for example, using a command like curl http://127.0.0.1:3003/....

Snapd Sandbox

If your Linux distribution fully supports all of snapd's security features (like Ubuntu), the sandbox should effectively contain processes running within the immich-distribution package. Permissions are granted per-application within the package. Overall, they are allowed to access the network and listen for incoming connections. No file system access outside the sandbox or other special permissions are granted by default.

Therefore, if you configure your firewall to limit what Immich can access, it would be difficult for a process within this package to harm your server. However, a denial-of-service attack is always a possibility.

Process Permissions
Process Permission Description
psql network General network access
postgres network-bind Listen for incoming connections
redis-server network-bind Listen for incoming connections
immich-server network, network-bind General network access, Listen for incoming connections
immich-machine-learning network, network-bind General network access, Listen for incoming connections
haproxy network, network-bind General network access, Listen for incoming connections
sync network General network access
backup -
import -
acme network, network-bind General network access, Listen for incoming connections

When inspecting your process list, you might notice several processes running as root. This can appear concerning, but note that this is root inside the sandbox, with limited capabilities. The processes are fully contained by the snapd sandbox.

If you are curious, you can inspect the sandbox environment by executing:

sudo snap run --shell immich-distribution.{PROCESS}

File Permissions

The sandbox not only limits what the application can see but also greatly restricts where it can write. The directory /var/snap/immich-distribution/common/ is used as a writable area where all application state is saved.

A process running inside a Snap package has a limited view of your host system. Its root filesystem (/) is based on a base image known as a "core snap". Immich Distribution uses core22, which is based on Ubuntu 22.04 LTS. The snapd daemon then exposes a limited list of selected paths from the host system. A Snap package can request additional paths to be exposed via permissions.

TLS and HTTPS

By default, Immich serves traffic over plain text HTTP. You can issue Let's Encrypt certificates and configure HAProxy to use them, thereby encrypting all traffic leaving the server. For more information, see Configure HTTPS.

Internal traffic between Immich services is not encrypted. This traffic is sent locally via the loopback interface (lo, 127.0.0.1), so an external observer cannot intercept it. However, this could be a security consideration if untrusted users or software are running on the same server.