Re: restricting root of xineliboutput mediaplayer?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Halim Sahin wrote:
> Sorry if my question was not understood currectly.
> I don't want to run sxfe/vdr etc under a chroot env.
> My concerns are about the build-in filebrowser of xineliboutput. 
> It should be restricted to a special folder like /media.
> This whould avoid damages to the system  :-).
> More ideas?

To prevent modifying system files you should run vdr as normal user
(--user=vdr). Just don't give it write access to any other places
than /media (and /video ?). Of course this doesn't protect VDR config
files and recordings ...

For the file browser you can try attached, untested patch. Add following
line to vdr's setup.conf:
  xineliboutput.Media.RootDir=/media

Note that it is not bulletproof ; one can easily bypass the checks with
symlinks, like ln -s / /media/root.


- Petri
Index: config.h
===================================================================
RCS file: /cvsroot/xineliboutput/vdr-xineliboutput/config.h,v
retrieving revision 1.67
diff -u -r1.67 config.h
--- config.h	31 Oct 2009 19:59:50 -0000	1.67
+++ config.h	13 Nov 2009 12:00:29 -0000
@@ -318,6 +322,7 @@
     int  dvb_subtitles;            // send DVB subtitles in data stream (decode+display using xine-lib or external media player)
 
     // Media player
+    char media_root_dir[4096];     // restrict file browser
     char browse_files_dir[4096];
     char browse_music_dir[4096];
     char browse_images_dir[4096];
Index: config.c
===================================================================
RCS file: /cvsroot/xineliboutput/vdr-xineliboutput/config.c,v
retrieving revision 1.86
diff -u -r1.86 config.c
--- config.c	25 Oct 2009 12:56:11 -0000	1.86
+++ config.c	13 Nov 2009 12:00:29 -0000
@@ -662,6 +696,7 @@
   ff_h264_speed_over_accurancy = FF_H264_SPEED_OVER_ACCURACY_auto;
   ff_h264_skip_loop_filter     = FF_H264_SKIP_LOOPFILTER_auto;
 
+  strn0cpy(media_root_dir,    "/",            sizeof(media_root_dir));
   strn0cpy(browse_files_dir,  VideoDirectory, sizeof(browse_files_dir));
   strn0cpy(browse_music_dir,  VideoDirectory, sizeof(browse_music_dir));
   strn0cpy(browse_images_dir, VideoDirectory, sizeof(browse_images_dir));
@@ -918,6 +962,7 @@
   else if (!strcasecmp(Name, "Post.denoise3d.chroma"))  denoise3d_chroma = atoi(Value);
   else if (!strcasecmp(Name, "Post.denoise3d.time"))    denoise3d_time   = atoi(Value);
 
+  else if (!strcasecmp(Name, "Media.RootDir"))           STRN0CPY(media_root_dir, Value);
   else if (!strcasecmp(Name, "Media.BrowseFilesDir"))    STRN0CPY(browse_files_dir, Value);
   else if (!strcasecmp(Name, "Media.BrowseMusicDir"))    STRN0CPY(browse_music_dir, Value);
   else if (!strcasecmp(Name, "Media.BrowseImagesDir"))   STRN0CPY(browse_images_dir, Value);
Index: menu.c
===================================================================
RCS file: /cvsroot/xineliboutput/vdr-xineliboutput/menu.c,v
retrieving revision 1.71
diff -u -r1.71 menu.c
--- menu.c	11 Nov 2009 16:09:09 -0000	1.71
+++ menu.c	13 Nov 2009 12:00:29 -0000
@@ -139,6 +140,13 @@
   if(!m_CurrentDir) 
     m_CurrentDir = strdup(m_ConfigLastDir);
 
+  int RootDirLen = strlen(xc.media_root_dir);
+  if (strncmp(m_CurrentDir, xc.media_root_dir, RootDirLen)) {
+    LOGMSG("Not allowing browsing to %s (root is %s)", m_CurrentDir, xc.media_root_dir);
+    free(m_CurrentDir);
+    m_CurrentDir = strdup(xc.media_root_dir);
+  }
+
   if(m_CurrentDir[0] != '/') {
     free(m_CurrentDir);
     m_CurrentDir = strdup(VideoDirectory);
@@ -152,7 +160,8 @@
   }
 
   // add link to parent folder
-  if(strlen(m_CurrentDir) > 1)
+  int CurrentDirLen = strlen(m_CurrentDir);
+  if (CurrentDirLen > 1 && CurrentDirLen > RootDirLen)
     Add(new cFileListItem("..",true));
 
   Sort();
_______________________________________________
vdr mailing list
vdr@xxxxxxxxxxx
http://www.linuxtv.org/cgi-bin/mailman/listinfo/vdr

[Index of Archives]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Util Linux NG]     [Xfree86]     [Big List of Linux Books]     [Fedora Users]     [Fedora Women]     [ALSA Devel]     [Linux USB]

  Powered by Linux