Bug#704154: vdr - Fails if started without any of CAP_SYS_TIME, CAP_SYS_NICE or CAP_NET_RAW
On Fri, Mar 29, 2013 at 01:38:39AM +0100, Tobias Grimm wrote: CAP_SYS_TIME is required to update the system time with the time from the DVB broadcasters. This behavior is optional, disabled by default and if setting the time fails, this just gets logged to the syslog. Most systems should have some sort of ntp daemon installed, so updating with a less acurate source is bad anyway. But okay. CAP_SYS_NICE is required to set the thread priority. I think VDR is correct here to exit with an error level if CAP_SYS_NICE is not available. CAP_SYS_NICE is necessary to _higher_ the priority (aka lower the niceness). I was not able to find any rlimit calls at all in the vdr source. I'm not sure why CAP_NET_RAW is required. The only networking stuff happening is at the SVDRP interface. CAP_NET_RAW is necessary to setup AF_RAW or AF_PACKET socket and set some options that can be used to do nasty stuff. I see nothing in vdr itself or the streamdev plugin. What do you suggest to solve this? Ignore CAP_SYS_TIME if it can't be set? Right now I use the seccomp filter to filter away all prctl and setcap syscalls. Nothing really fails, so at least in this setup none of the capabilities are really needed. I use the streamdev-server plugin. Bastian -- There are always alternatives. -- Spock, The Galileo Seven, stardate 2822.3 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704154: vdr - Fails if started without any of CAP_SYS_TIME, CAP_SYS_NICE or CAP_NET_RAW
Hi Bastian, On 29/03/13 01:38, Tobias Grimm wrote: I'm not sure, if this qualifies for a serious severity, turning this into an RC bug. A serious bug is, quoting [1], a severe violation of Debian policy (roughly, it violates a must or required directive), or, in the package maintainer's or release manager's opinion, makes the package unsuitable for release. I checked again the Debian policy but couldn't spot anything relevant, so it would be nice to get a pointer, or alternatively an argument why the package should be unsuitable for release, especially so late into the freeze period. No Debian user would appreciate losing VDR in wheezy because of a bug happening in the seldom case someone considers their VDR system so sensitive in terms of security that they remove capabilities. Furthermore this bug is possibly security-related but definitely not a security hazard, which would anyway qualify for grave and not serious. Thanks, Eric [1] http://www.debian.org/Bugs/Developer#severities -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704154: vdr - Fails if started without any of CAP_SYS_TIME, CAP_SYS_NICE or CAP_NET_RAW
On 30.03.2013 11:32, Bastian Blank wrote: Most systems should have some sort of ntp daemon installed, so updating with a less acurate source is bad anyway. But okay. This option is especially for people running the VDR without a network connection. This isn't that common nowadays, but not unusual either. CAP_SYS_NICE is required to set the thread priority. I think VDR is correct here to exit with an error level if CAP_SYS_NICE is not available. CAP_SYS_NICE is necessary to _higher_ the priority (aka lower the niceness). I was not able to find any rlimit calls at all in the vdr source. The setpriority() calls used in VDR's cThread class require the CAP_SYS_NICE - at least if lowering the niceness, which some plugins do to get higher priority threads. I'm not sure why CAP_NET_RAW is required. The only networking stuff happening is at the SVDRP interface. CAP_NET_RAW is necessary to setup AF_RAW or AF_PACKET socket and set some options that can be used to do nasty stuff. I see nothing in vdr itself or the streamdev plugin. Streamdev requires this for IGMP multicasts. I've talked to Klaus (the upstream author) about this and in general he would accept a patch for this in 2.x (VDR 2.0.0 is going to be released on March, 31). I'm not yet sure how this patch could look like. Ignoring CAP_SYS_TIME if it can not be set shouldn't be much of a problem. The other capabilities might cause trouble with some plugins. But I'm not convinced yet, that this is a serious bug and I would prefer to lower the severity if nobody has any objections. Tobias -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704154: vdr - Fails if started without any of CAP_SYS_TIME, CAP_SYS_NICE or CAP_NET_RAW
Package: vdr Version: 1.7.28-1 Severity: serious vdr tries to drop almost all capabilities except of CAP_SYS_TIME, CAP_SYS_NICE and CAP_NET_RAW. It does this without checking the current capability set, which may not include any of them[1], and fails hard if this does not work. | capget(0x20080522, 0, NULL) = 0 | capset(0x20080522, 0, {CAP_NET_RAW|CAP_SYS_NICE|CAP_SYS_TIME, CAP_NET_RAW|CAP_SYS_NICE|CAP_SYS_TIME, 0}) = -1 EPERM (Operation not permitted) | write(2, vdr: cap_set_proc failed: Operat..., 50) = 50 | exit_group(2) = ? Bastian [1]: In case of LXC, it does not include at least CAP_SYS_TIME, because it affects always the whole system. -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.8-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704154: vdr - Fails if started without any of CAP_SYS_TIME, CAP_SYS_NICE or CAP_NET_RAW
I'm not sure, if this qualifies for a serious severity, turning this into an RC bug. You can still run VDR as root with -u root (or USER=root in /etc/default/vdr). CAP_SYS_TIME is required to update the system time with the time from the DVB broadcasters. This behavior is optional, disabled by default and if setting the time fails, this just gets logged to the syslog. So I guess, failing at CAP_SYS_TIME can be ignored. CAP_SYS_NICE is required to set the thread priority. I think VDR is correct here to exit with an error level if CAP_SYS_NICE is not available. I'm not sure why CAP_NET_RAW is required. The only networking stuff happening is at the SVDRP interface. It might be that this was added to allow plugins like Streamdev to have raw network access. What do you suggest to solve this? Ignore CAP_SYS_TIME if it can't be set? Tobias -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org