Project

General

Profile

Bug #5620

satip server on port 554 unnecessarily limited to root only

Added by Andreas Tockhorn 4 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Category:
SAT>IP
Target version:
-
Start date:
2019-05-03
Due date:
% Done:

0%

Estimated time:
Found in version:
latest
Affected Versions:

Description

At the moment it is only possible to start the satip server on port 554 being root. For security reasons, I do not want to give the whole tvheadend root privileges. But unfortunately I have to use port 554 instead of 9983 as for example my Panasonic TV as a satip client only works when tvheadend as satip server listens on port 554.
Instead, I would like to use mechanisms like authbind or setcap to use port 554 without being root. But this does only work when the function satips_rtsp_port in server.c does not check against getuid()!=0 and changes the port to 9983. I suggest printing only an information or warning there. If tvheadend has not the appropriate permissions (not being root or using any other mechanism) an error message will be printed later when trying to bind to port 554 anyway.

History

#1

Updated by Flole Systems 4 months ago

You don't need to run tvheadend as root, you can start as root and drop privileges later.

#2

Updated by Andreas Tockhorn 4 months ago

Ok. I have to check. For me there is still the question what's the sense for this check. I dont see any. Without it I have even more choices on how to get port 554 used.

#3

Updated by Andreas Tockhorn 3 months ago

I had some time to dive deeper into the topic of privilege seperation. From my understanding, this would cause larger effort on changing tvheadend sources. Furthermore, it does still rely on starting as rooting, binding to port 554 and afterwards dropping root privileges. If this is not done appropriately, it might stil cause a security flaw. In addition, I cannot really imagine what is the correct point in time at which the privilege can be dropped, since the satip server can be reconfigured or being activated at any time.
So I still suggest removing the limitation to being root and staff the tvheadend binary with only that additional capability, e.g. by using sudo setcap CAP_NET_BIND_SERVICE=+eip /path/to/tvheadend-binary.

#4

Updated by Em Smith 3 months ago

Have you tried port forwarding?

#5

Updated by Andreas Tockhorn 3 months ago

No, I have not. But I am sure it will work. Nevertheless, it is not a real solution but a workaround. I still don't see the sense of checking/forcing for being root just to start at a port below 1024.

#6

Updated by Tim Bremer 3 months ago

For security reasons

Well, 'security reasons' are in fact the reason why ports below 1024 are privileged.
https://stackoverflow.com/questions/10182798/why-are-ports-below-1024-privileged
https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html
https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-on-linux

Your request would be an exception from the rule, causing a lot of confusion for most part of the users and at last results in many support requests in the forum.

I do not want to give the whole tvheadend root privileges.

Do you have got an idea how many program do have root privileges during the boot sequence?

Also available in: Atom PDF