VDR 1.3.38 and "-u root"

There have been reports from people who want to run
VDR as user 'root' and have trouble with access rights
when using "-u root".

The attached patch simply skips all the SetCaps() and SetUser()
stuff when VDR is started as 'root' and the option "-u root"
has been given. This should then behave just like older versions.

Klaus
  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Klaus Schmidinger schrieb:
> There have been reports from people who want to run
> VDR as user 'root' and have trouble with access rights
> when using "-u root".
> 
> The attached patch simply skips all the SetCaps() and SetUser()
> stuff when VDR is started as 'root' and the option "-u root"
> has been given. This should then behave just like older versions.
> 
> Klaus
> 

Hi Klaus,

Thanks for the patch. It solves my problem with the text2skin-plugin,
that was not able to load a lot of the channel logos or needed fonts if
they were accessed via a symlink.

Oliver
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDwqNEJL9YbV++5+wRAo0OAJ43dizoPxCAeyyV0iM+52BVqwM7GACeIJNt
jHyAbDMhO0DqrffdzERKTjQ=
=Xim/
-----END PGP SIGNATURE-----
  

On Monday 09 January 2006 18:54, Oliver Friedrich wrote:
> Klaus Schmidinger schrieb:
> > There have been reports from people who want to run
> > VDR as user 'root' and have trouble with access rights
> > when using "-u root".
> >
> > The attached patch simply skips all the SetCaps() and SetUser()
> > stuff when VDR is started as 'root' and the option "-u root"
> > has been given. This should then behave just like older versions.
> >
> > Klaus
>
> Hi Klaus,
>
> Thanks for the patch. It solves my problem with the text2skin-plugin,
> that was not able to load a lot of the channel logos or needed fonts if
> they were accessed via a symlink.
>
> Oliver
>
Hi Oliver,

A better approach would be to just set the permissions of the files to sane 
values as I think running vdr as non-root is a lot better.

Matthias
  

Matthias Schwarzott wrote:
> On Monday 09 January 2006 18:54, Oliver Friedrich wrote:
> 
>>Klaus Schmidinger schrieb:
>>
>>>There have been reports from people who want to run
>>>VDR as user 'root' and have trouble with access rights
>>>when using "-u root".
>>>
>>>The attached patch simply skips all the SetCaps() and SetUser()
>>>stuff when VDR is started as 'root' and the option "-u root"
>>>has been given. This should then behave just like older versions.
>>>
>>>Klaus
>>
>>Hi Klaus,
>>
>>Thanks for the patch. It solves my problem with the text2skin-plugin,
>>that was not able to load a lot of the channel logos or needed fonts if
>>they were accessed via a symlink.
>>
>>Oliver
>>
> 
> Hi Oliver,
> 
> A better approach would be to just set the permissions of the files to sane 
> values as I think running vdr as non-root is a lot better.

Propably all *nix-purists will lynch me, but I really think that
having elaborate permissions on a STB is rather far fetched.
Set_Top_Box does NOT need _any_ of that.
  

On Monday 09 January 2006 20:51, Lauri Tischler wrote:
> > A better approach would be to just set the permissions of the files to
> > sane values as I think running vdr as non-root is a lot better.

Does this solve all requirements?

>
> Propably all *nix-purists will lynch me, but I really think that
> having elaborate permissions on a STB is rather far fetched.
> Set_Top_Box does NOT need _any_ of that.

At least 3 modes of operation would be interesting:

"read only mode" - anything works but no changes upon configuration are 
allowed, no deletes and (likely) no user-commands - you can sit anyone in 
front of your system and need no worry

"read/record/delete" - anything allowed but no changes on configuration (aka 
channels, setup, plugins) - girlfriend mode ;-)

"full access" - aka administration mode, well...
  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matthias Schwarzott schrieb:
> 
> Hi Oliver,
> 
> A better approach would be to just set the permissions of the files to sane 
> values as I think running vdr as non-root is a lot better.
> 
> Matthias
> 

Hi Matthias,

All the files have the same permissions, user and group (root:root [and
i know, that this is not a good idea :)])).  But it was not possible to
use the font and grafic files if the are referenced with symlinks.

I will try tomorrow if the problem exists if i use a speacial vdr user,
but why should it work with non-root when it doesn't with the root user?

Oliver
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDwsKcJL9YbV++5+wRAmj7AJ48FePF1AsPoy8sKOqdX9ZRB9o25gCfZh8S
KygCObBOTFTEZVj6XHklYYI=
=VCdi
-----END PGP SIGNATURE-----
  

I demand that Lauri Tischler may or may not have written...

[snip]
> Propably all *nix-purists will lynch me, but I really think that having
> elaborate permissions on a STB is rather far fetched. Set_Top_Box does NOT
> need _any_ of that.

But Generic_Desktop_Computer does. :-)
  

Klaus Schmidinger wrote:
> There have been reports from people who want to run
> VDR as user 'root' and have trouble with access rights
> when using "-u root".
> 
> The attached patch simply skips all the SetCaps() and SetUser()
> stuff when VDR is started as 'root' and the option "-u root"
> has been given. This should then behave just like older versions.

Wouldn't it be a lot more natural and intuitive if the default for -u 
would be not to switch users at all? It wouldn't change the (previous) 
default behavior and it doesn't use two hard-coded user names (vdr and 
root). Specifying -u root to disable switching is at least strange...

Cheers,

Udo
  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Udo Richter schrieb:
> Klaus Schmidinger wrote:
> 
>> There have been reports from people who want to run
>> VDR as user 'root' and have trouble with access rights
>> when using "-u root".
>>
>> The attached patch simply skips all the SetCaps() and SetUser()
>> stuff when VDR is started as 'root' and the option "-u root"
>> has been given. This should then behave just like older versions.
> 
> 
> Wouldn't it be a lot more natural and intuitive if the default for -u
> would be not to switch users at all? It wouldn't change the (previous)
> default behavior and it doesn't use two hard-coded user names (vdr and
> root). Specifying -u root to disable switching is at least strange...
> 

I think this would be the best way, too. At first i was realy irritated
as my vdr starts over and over again, because i doesnt know, the the new
'-u' paramater was present (and not optional).

Oliver
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDwsssJL9YbV++5+wRAhoMAJ94gxkeoq876/PncPODF9UbAJJWeACfQW/r
mKGb1gsYTGQj/vosm+MfbPg=
=XnxU
-----END PGP SIGNATURE-----
  

Klaus Schmidinger wrote:

> There have been reports from people who want to run VDR as user
> 'root' and have trouble with access rights when using "-u root". 

Yes, the direct access to the parallel port was denied so i had to use a
slower mechanism in the graphlcd-plugin which is controling LCD-display.
 
> The attached patch simply skips all the SetCaps() and SetUser() stuff
> when VDR is started as 'root' and the option "-u root" has been
> given. This should then behave just like older versions. 

Thanks, this is now back to normal. I prefer to run vdr as root (this is my
home and i'm controlling the machines :) Other might like to do it another
way, so go forward.

> Klaus

Thanks !

/hgm.bg
  

Udo Richter wrote:
> Klaus Schmidinger wrote:
> >There have been reports from people who want to run
> >VDR as user 'root' and have trouble with access rights
> >when using "-u root".
> >
> >The attached patch simply skips all the SetCaps() and SetUser()
> >stuff when VDR is started as 'root' and the option "-u root"
> >has been given. This should then behave just like older versions.
> 
> Wouldn't it be a lot more natural and intuitive if the default for -u 
> would be not to switch users at all? It wouldn't change the (previous) 
> default behavior and it doesn't use two hard-coded user names (vdr and 
> root). Specifying -u root to disable switching is at least strange...

For distributions the only sane default is to ship vdr running as
unprivileged user. It's really helpful if upstream vdr also behaves
this way by default as more people and especially plugin developers
notice if there are permission problems.

cu
Ludwig
  

Udo Richter wrote:
> Klaus Schmidinger wrote:
> 
>> There have been reports from people who want to run
>> VDR as user 'root' and have trouble with access rights
>> when using "-u root".
>>
>> The attached patch simply skips all the SetCaps() and SetUser()
>> stuff when VDR is started as 'root' and the option "-u root"
>> has been given. This should then behave just like older versions.
> 
> 
> Wouldn't it be a lot more natural and intuitive if the default for -u 
> would be not to switch users at all? It wouldn't change the (previous) 
> default behavior and it doesn't use two hard-coded user names (vdr and 
> root). Specifying -u root to disable switching is at least strange...
> 
> Cheers,
> 
> Udo

Well, due to all the hassle with the GRAB security advisory I thought
it might be a good idea to not let VDR run as root unless the user
explicitly requests it.

However, I do tend to share your opinion, so if nobody disagrees
I'll make it so that VDR always runs under the user id it was started with,
unless the '-u' option is given (and, of course, it was started as root,
otherwise it can't change its user id anyway).

Klaus
  

Ludwig Nussel schrieb:
> Udo Richter wrote:
> 
>>Klaus Schmidinger wrote:
>>
>>>There have been reports from people who want to run
>>>VDR as user 'root' and have trouble with access rights
>>>when using "-u root".
>>>
>>>The attached patch simply skips all the SetCaps() and SetUser()
>>>stuff when VDR is started as 'root' and the option "-u root"
>>>has been given. This should then behave just like older versions.
>>
>>Wouldn't it be a lot more natural and intuitive if the default for -u 
>>would be not to switch users at all? It wouldn't change the (previous) 
>>default behavior and it doesn't use two hard-coded user names (vdr and 
>>root). Specifying -u root to disable switching is at least strange...
> 
> 
> For distributions the only sane default is to ship vdr running as
> unprivileged user. It's really helpful if upstream vdr also behaves
> this way by default as more people and especially plugin developers
> notice if there are permission problems.

Permission Problems...
it seems you are right with this assumption. I just worked several 
hours, trying to get bitstreamout to work.... and guess: the user vdr 
was not allowed do access /dev/audio*.

But still, I like the non-root concept... now vdr ist more 'mature'.

greets
carsten
  

Ludwig Nussel wrote:
> For distributions the only sane default is to ship vdr running as
> unprivileged user. It's really helpful if upstream vdr also behaves
> this way by default as more people and especially plugin developers
> notice if there are permission problems.

Distributions usually ship with their own startup scripts, so they're 
free to always use -u. And even if an user starts the vdr process 
manually, its usually from a non-root account, or?

(btw. my vdr has always been running unprivileged, and I've used the su 
patch before)

What about throwing a warning to console if vdr runs as root and no -u 
is specified?

Cheers,

Udo
  

Klaus Schmidinger wrote:
> Udo Richter wrote:
> >Klaus Schmidinger wrote:
> >>There have been reports from people who want to run
> >>VDR as user 'root' and have trouble with access rights
> >>when using "-u root".
> >>
> >>The attached patch simply skips all the SetCaps() and SetUser()
> >>stuff when VDR is started as 'root' and the option "-u root"
> >>has been given. This should then behave just like older versions.
> >
> >
> >Wouldn't it be a lot more natural and intuitive if the default for -u 
> >would be not to switch users at all? It wouldn't change the (previous) 
> >default behavior and it doesn't use two hard-coded user names (vdr and 
> >root). Specifying -u root to disable switching is at least strange...
> [...] 
> However, I do tend to share your opinion, so if nobody disagrees
> I'll make it so that VDR always runs under the user id it was started with,
> unless the '-u' option is given (and, of course, it was started as root,
> otherwise it can't change its user id anyway).

I vote for automatically using user vdr when started as root to
promote the unprivileged user mode and to emphasize that using root
is not recommended.

cu
Ludwig
  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Klaus Schmidinger schrieb:
> Udo Richter wrote:
> 
>> Klaus Schmidinger wrote:
>>
>>> There have been reports from people who want to run
>>> VDR as user 'root' and have trouble with access rights
>>> when using "-u root".
>>>
>>> The attached patch simply skips all the SetCaps() and SetUser()
>>> stuff when VDR is started as 'root' and the option "-u root"
>>> has been given. This should then behave just like older versions.
>>
>>
>>
>> Wouldn't it be a lot more natural and intuitive if the default for -u
>> would be not to switch users at all? It wouldn't change the (previous)
>> default behavior and it doesn't use two hard-coded user names (vdr and
>> root). Specifying -u root to disable switching is at least strange...
>>
>> Cheers,
>>
>> Udo
> 
> 
> Well, due to all the hassle with the GRAB security advisory I thought
> it might be a good idea to not let VDR run as root unless the user
> explicitly requests it.
> 
> However, I do tend to share your opinion, so if nobody disagrees
> I'll make it so that VDR always runs under the user id it was started with,
> unless the '-u' option is given (and, of course, it was started as root,
> otherwise it can't change its user id anyway).

This is the way most software works.

And with 1.3.38 it is impossible to simply get the commandline help if
no useraccount 'vdr' is present on the system and the user doesn't know
the '-u' switch ...

> [root@tinySOFA ~]# vdr --help
> vdr: unknown user: 'vdr'
> [root@tinySOFA ~]# vdr -u root --help
> Usage: vdr [OPTIONS]
> 
>   -a CMD,   --audio=CMD    send Dolby Digital audio to stdin of command CMD
>   -c DIR,   --config=DIR   read config files from DIR (default is to read them
>                            from the video directory)
>   -d,       --daemon       run in daemon mode
>   -D NUM,   --device=NUM   use only the given DVB device (NUM = 0, 1, 2...)
>                            there may be several -D options (default: all DVB
>                            devices will be used)
> ...

Oliver
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDw4FiJL9YbV++5+wRAl2ZAJ0YIuH/BjFuRCdE2tKibcpnAnNnQACbBWFf
XsGwP40hLinaxLS4qtFlyr8=
=hw4A
-----END PGP SIGNATURE-----
  

Ludwig Nussel wrote:

> I vote for automatically using user vdr when started as root to
> promote the unprivileged user mode and to emphasize that using root
> is not recommended.  

Is there any reason why a software should force anyone to do what seems to
be the best ? I use my vdr-system for years running as root and i'm happy
with it, no access from the outside world possible, so why should i waste
hours for changing a lot of stuff on my vdrsystem only because some fanatics
think i have to ?

Yes it's better to run vdr with a non-root account and if i have to setup my
vdr-system completly from scratch i will do so, but until then please leave
the possibility to run it as root.

Just my 2 cents.

> cu
> Ludwig

/hgm.bg
  

hgm.bg wrote:
> Ludwig Nussel wrote:
> 
> > I vote for automatically using user vdr when started as root to
> > promote the unprivileged user mode and to emphasize that using root
> > is not recommended.  
> 
> Is there any reason why a software should force anyone to do what seems to
> be the best ? I use my vdr-system for years running as root and i'm happy
> with it, no access from the outside world possible, so why should i waste
> hours for changing a lot of stuff on my vdrsystem only because some fanatics
> think i have to ?
> 
> Yes it's better to run vdr with a non-root account and if i have to setup my
> vdr-system completly from scratch i will do so, but until then please leave
> the possibility to run it as root.

noone prevents you from using Linux like DOS. Just add -u root and
you are done.

cu
Ludwig
  

2006/1/10, Ludwig Nussel <ludwig.nussel@suse.de>:
>
> I vote for automatically using user vdr when started as root to
> promote the unprivileged user mode and to emphasize that using root
> is not recommended.
>

I would prefer a secure default setting too. Experienced users, or people
who think they are, can override it on the commandline, so nobody is forced
to use the secure default.

Joachim.
  

Joachim Wilke schrieb:
> 2006/1/10, Ludwig Nussel <ludwig.nussel@suse.de 
> <mailto:ludwig.nussel@suse.de>>:
> 
>     I vote for automatically using user vdr when started as root to
>     promote the unprivileged user mode and to emphasize that using root
>     is not recommended.
> 
> I would prefer a secure default setting too. Experienced users, or 
> people who think they are, can override it on the commandline, so nobody 
> is forced to use the secure default.
> 
> Joachim.

IMHO a program should always run as the user who invoked it, unless told 
otherwise. Silently changing the userid does look very counterintuitive 
to me.

But then I'm a strong believer in "do what i told you", no "do what you 
think is the best for me", especially when it comes to computers.

Andreas
  

Andreas Holzhammer - GMX wrote:
> Joachim Wilke schrieb:
> 
>> 2006/1/10, Ludwig Nussel <ludwig.nussel@suse.de 
>> <mailto:ludwig.nussel@suse.de>>:
>>
>>     I vote for automatically using user vdr when started as root to
>>     promote the unprivileged user mode and to emphasize that using root
>>     is not recommended.
>>
>> I would prefer a secure default setting too. Experienced users, or 
>> people who think they are, can override it on the commandline, so 
>> nobody is forced to use the secure default.
>>
>> Joachim.
> 
> 
> IMHO a program should always run as the user who invoked it, unless told 
> otherwise. Silently changing the userid does look very counterintuitive 
> to me.
> 
> But then I'm a strong believer in "do what i told you", no "do what you 
> think is the best for me", especially when it comes to computers.
> 
> Andreas

I'll make it so that it runs under the user id of the caller,
and only sets it to a different one if the caller is 'root' and
the '-u' option is given (with a different user name than 'root').

For Ludwig Nussl there will be a Make.config option ;-)

Klaus