From patchwork Fri Nov 13 12:24:31 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petri Hintukainen <phintuka@users.sourceforge.net>
X-Patchwork-Id: 12757
Received: from mta-out.inet.fi ([195.156.147.13] helo=kirsi2.inet.fi)
	by mail.linuxtv.org with esmtp (Exim 4.69)
	(envelope-from <phintuka@users.sourceforge.net>) id 1N8vCh-0000d8-RC
	for vdr@linuxtv.org; Fri, 13 Nov 2009 13:24:40 +0100
Received: from [192.168.0.47] (88.195.105.224) by kirsi2.inet.fi (8.5.014)
	id 4A77692A03E36733 for vdr@linuxtv.org;
	Fri, 13 Nov 2009 14:24:30 +0200
From: Petri Hintukainen <phintuka@users.sourceforge.net>
To: VDR Mailing List <vdr@linuxtv.org>
In-Reply-To: <20091112142344.GA15753@gentoo.local>
References: <20091112091421.GA24023@gentoo.local>
	<alpine.LNX.1.10.0911121214130.8998@skammel.site>
	<20091112122937.GA9384@gentoo.local>
	<23582ca0911120441w5bc7c5edo400b2c90695df360@mail.gmail.com>
	<20091112142344.GA15753@gentoo.local>
Date: Fri, 13 Nov 2009 14:24:31 +0200
Message-ID: <1258115071.23744.3855.camel@ph-laptop>
Mime-Version: 1.0
X-Mailer: Evolution 2.28.1 
X-LSpam-Score: -2.6 (--)
X-LSpam-Report: No,
	score=-2.6 required=5.0 tests=BAYES_00=-2.599 autolearn=ham
Subject: Re: [vdr] restricting root of xineliboutput mediaplayer?
X-BeenThere: vdr@linuxtv.org
X-Mailman-Version: 2.1.11
Precedence: list
Reply-To: VDR Mailing List <vdr@linuxtv.org>
List-Id: VDR Mailing List <vdr.linuxtv.org>
List-Unsubscribe: <http://www.linuxtv.org/cgi-bin/mailman/options/vdr>,
	<mailto:vdr-request@linuxtv.org?subject=unsubscribe>
List-Archive: <http://www.linuxtv.org/pipermail/vdr>
List-Post: <mailto:vdr@linuxtv.org>
List-Help: <mailto:vdr-request@linuxtv.org?subject=help>
List-Subscribe: <http://www.linuxtv.org/cgi-bin/mailman/listinfo/vdr>,
	<mailto:vdr-request@linuxtv.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2009 12:24:40 -0000
Status: O
X-Status: 
X-Keywords: 
X-UID: 21598

Halim Sahin wrote:
> Sorry if my question was not understood currectly.
> I don't want to run sxfe/vdr etc under a chroot env.
> My concerns are about the build-in filebrowser of xineliboutput. 
> It should be restricted to a special folder like /media.
> This whould avoid damages to the system  :-).
> More ideas?

To prevent modifying system files you should run vdr as normal user
(--user=vdr). Just don't give it write access to any other places
than /media (and /video ?). Of course this doesn't protect VDR config
files and recordings ...

For the file browser you can try attached, untested patch. Add following
line to vdr's setup.conf:
  xineliboutput.Media.RootDir=/media

Note that it is not bulletproof ; one can easily bypass the checks with
symlinks, like ln -s / /media/root.


- Petri

Index: config.h
===================================================================
RCS file: /cvsroot/xineliboutput/vdr-xineliboutput/config.h,v
retrieving revision 1.67
diff -u -r1.67 config.h
--- config.h	31 Oct 2009 19:59:50 -0000	1.67
+++ config.h	13 Nov 2009 12:00:29 -0000
@@ -318,6 +322,7 @@
     int  dvb_subtitles;            // send DVB subtitles in data stream (decode+display using xine-lib or external media player)
 
     // Media player
+    char media_root_dir[4096];     // restrict file browser
     char browse_files_dir[4096];
     char browse_music_dir[4096];
     char browse_images_dir[4096];
Index: config.c
===================================================================
RCS file: /cvsroot/xineliboutput/vdr-xineliboutput/config.c,v
retrieving revision 1.86
diff -u -r1.86 config.c
--- config.c	25 Oct 2009 12:56:11 -0000	1.86
+++ config.c	13 Nov 2009 12:00:29 -0000
@@ -662,6 +696,7 @@
   ff_h264_speed_over_accurancy = FF_H264_SPEED_OVER_ACCURACY_auto;
   ff_h264_skip_loop_filter     = FF_H264_SKIP_LOOPFILTER_auto;
 
+  strn0cpy(media_root_dir,    "/",            sizeof(media_root_dir));
   strn0cpy(browse_files_dir,  VideoDirectory, sizeof(browse_files_dir));
   strn0cpy(browse_music_dir,  VideoDirectory, sizeof(browse_music_dir));
   strn0cpy(browse_images_dir, VideoDirectory, sizeof(browse_images_dir));
@@ -918,6 +962,7 @@
   else if (!strcasecmp(Name, "Post.denoise3d.chroma"))  denoise3d_chroma = atoi(Value);
   else if (!strcasecmp(Name, "Post.denoise3d.time"))    denoise3d_time   = atoi(Value);
 
+  else if (!strcasecmp(Name, "Media.RootDir"))           STRN0CPY(media_root_dir, Value);
   else if (!strcasecmp(Name, "Media.BrowseFilesDir"))    STRN0CPY(browse_files_dir, Value);
   else if (!strcasecmp(Name, "Media.BrowseMusicDir"))    STRN0CPY(browse_music_dir, Value);
   else if (!strcasecmp(Name, "Media.BrowseImagesDir"))   STRN0CPY(browse_images_dir, Value);
Index: menu.c
===================================================================
RCS file: /cvsroot/xineliboutput/vdr-xineliboutput/menu.c,v
retrieving revision 1.71
diff -u -r1.71 menu.c
--- menu.c	11 Nov 2009 16:09:09 -0000	1.71
+++ menu.c	13 Nov 2009 12:00:29 -0000
@@ -139,6 +140,13 @@
   if(!m_CurrentDir) 
     m_CurrentDir = strdup(m_ConfigLastDir);
 
+  int RootDirLen = strlen(xc.media_root_dir);
+  if (strncmp(m_CurrentDir, xc.media_root_dir, RootDirLen)) {
+    LOGMSG("Not allowing browsing to %s (root is %s)", m_CurrentDir, xc.media_root_dir);
+    free(m_CurrentDir);
+    m_CurrentDir = strdup(xc.media_root_dir);
+  }
+
   if(m_CurrentDir[0] != '/') {
     free(m_CurrentDir);
     m_CurrentDir = strdup(VideoDirectory);
@@ -152,7 +160,8 @@
   }
 
   // add link to parent folder
-  if(strlen(m_CurrentDir) > 1)
+  int CurrentDirLen = strlen(m_CurrentDir);
+  if (CurrentDirLen > 1 && CurrentDirLen > RootDirLen)
     Add(new cFileListItem("..",true));
 
   Sort();