Bug#704154: vdr - Fails if started without any of CAP_SYS_TIME, CAP_SYS_NICE or CAP_NET_RAW
Bastian Blank
waldi at debian.org
Sat Mar 30 10:32:16 UTC 2013
On Fri, Mar 29, 2013 at 01:38:39AM +0100, Tobias Grimm wrote:
> CAP_SYS_TIME is required to update the system time with the time
> from the DVB broadcasters. This behavior is optional, disabled by
> default and if setting the time fails, this just gets logged to the
> syslog.
Most systems should have some sort of ntp daemon installed, so updating
with a less acurate source is bad anyway. But okay.
> CAP_SYS_NICE is required to set the thread priority. I think VDR is
> correct here to exit with an error level if CAP_SYS_NICE is not
> available.
CAP_SYS_NICE is necessary to _higher_ the priority (aka lower the
niceness). I was not able to find any rlimit calls at all in the vdr
source.
> I'm not sure why CAP_NET_RAW is required. The only networking stuff
> happening is at the SVDRP interface.
CAP_NET_RAW is necessary to setup AF_RAW or AF_PACKET socket and set
some options that can be used to do nasty stuff. I see nothing in vdr
itself or the streamdev plugin.
> What do you suggest to solve this? Ignore CAP_SYS_TIME if it can't be set?
Right now I use the seccomp filter to filter away all prctl and setcap
syscalls. Nothing really fails, so at least in this setup none of the
capabilities are really needed. I use the streamdev-server plugin.
Bastian
--
There are always alternatives.
-- Spock, "The Galileo Seven", stardate 2822.3
More information about the pkg-vdr-dvb-devel
mailing list