Project

General

Profile

Bug #5620

satip server on port 554 unnecessarily limited to root only

Added by Andreas Tockhorn 21 days ago. Updated 14 days ago.

Status:
New
Priority:
Normal
Category:
SAT>IP
Target version:
-
Start date:
2019-05-03
Due date:
% Done:

0%

Estimated time:
Found in version:
latest
Affected Versions:

Description

At the moment it is only possible to start the satip server on port 554 being root. For security reasons, I do not want to give the whole tvheadend root privileges. But unfortunately I have to use port 554 instead of 9983 as for example my Panasonic TV as a satip client only works when tvheadend as satip server listens on port 554.
Instead, I would like to use mechanisms like authbind or setcap to use port 554 without being root. But this does only work when the function satips_rtsp_port in server.c does not check against getuid()!=0 and changes the port to 9983. I suggest printing only an information or warning there. If tvheadend has not the appropriate permissions (not being root or using any other mechanism) an error message will be printed later when trying to bind to port 554 anyway.

History

#1 Updated by Flole Systems 21 days ago

You don't need to run tvheadend as root, you can start as root and drop privileges later.

#2 Updated by Andreas Tockhorn 21 days ago

Ok. I have to check. For me there is still the question what's the sense for this check. I dont see any. Without it I have even more choices on how to get port 554 used.

#3 Updated by Andreas Tockhorn 16 days ago

I had some time to dive deeper into the topic of privilege seperation. From my understanding, this would cause larger effort on changing tvheadend sources. Furthermore, it does still rely on starting as rooting, binding to port 554 and afterwards dropping root privileges. If this is not done appropriately, it might stil cause a security flaw. In addition, I cannot really imagine what is the correct point in time at which the privilege can be dropped, since the satip server can be reconfigured or being activated at any time.
So I still suggest removing the limitation to being root and staff the tvheadend binary with only that additional capability, e.g. by using sudo setcap CAP_NET_BIND_SERVICE=+eip /path/to/tvheadend-binary.

#4 Updated by Em Smith 15 days ago

Have you tried port forwarding?

#5 Updated by Andreas Tockhorn 15 days ago

No, I have not. But I am sure it will work. Nevertheless, it is not a real solution but a workaround. I still don't see the sense of checking/forcing for being root just to start at a port below 1024.

#6 Updated by Tim Bremer 14 days ago

For security reasons

Well, 'security reasons' are in fact the reason why ports below 1024 are privileged.
https://stackoverflow.com/questions/10182798/why-are-ports-below-1024-privileged
https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html
https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-on-linux

Your request would be an exception from the rule, causing a lot of confusion for most part of the users and at last results in many support requests in the forum.

I do not want to give the whole tvheadend root privileges.

Do you have got an idea how many program do have root privileges during the boot sequence?

Also available in: Atom PDF