[mythtv-users] Ways to improve TV Out quality[Scanned]

Thu Jul 29 14:13:42 EDT 2004

David wrote:

> I think that when you start just hammering at problems (with root 
> privileges  in this case) you may end up with a system that works 
> today but it isn't a 'proper' solution and if you continue to build on 
> it then you'll get bitten later - maybe when you set it up to connect 
> to your server to display your digital photos and *they* get blatted 
> 'cos you forgot a root_squash on the nfs mount?

Who needs root squash?  If I've got root access on the Myth box, I can 
do an ls -an on an NFS share, find the UID/GID of a user who has access 
to the photos (or OpenOffice docs or GNUCash data or whatever), create a 
user/group on the Myth box with proper ID's, and rm -rf the photos.  NFS 
security is implemented using filesystem permissions; therefore, only 
UID/GID (not even username/group name) are checked to determine access 
rights.  Root squash only protects files owned by root on the NFS share 
(and, most likely, there aren't many of those on a share), but it's 
still something you should use.

Also, once I've got write access to some directory I can do things like 
dd if=/dev/zero of=/mnt/sharename/some/buried/directory/.swp bs=64k to 
fill up the NFS share partition, which can cause problems for other 
services (including the Myth box) that use the share.  And, if the 
filesystem was created without reserved space (for root) and if it 
contains the root partition, it could even crash the server.

Then there's changing the usernames/group names/passwords on the Myth 
box (assuming you haven't set up all authentication on a separate 
server) or the ownership/permissions of files on that box.  That would 
make it much more difficult for you to clean up my mess.  Although your 
autologin as root would ensure you have permission to fix the problems, 
the hard part would be finding the mess to clean up.

All the above, though, is very destructive--and likely to cause you to 
notice the problems--so how about we look at a more constructive use of 
root access?  I could set up a custom mini-web server (called 
mythbackend or mythcommflag, of course, so it doesn't look out of place) 
that distributes illegal copies of software, MP3's, or even the TV shows 
you record and the music you store in MythMusic, but--to prevent you 
from finding anything I add or deleting anything you put there (after 
all, just because you watched West Wing doesn't mean that everyone else 
in the mIRC channel has seen it)--I'll have the web server grab a 
filehandle to the files (and make sure I delete the ones I add so you 
don't find them).  The filesystem won't remove the files until all 
filehandles are released, so they don't appear in your directories 
(you'd have to find them in /proc or /sys), but they're still available 
for serving.  Now, I've got free, non-attribution storage and bandwidth 
available thanks to your allowing me in to your "unimportant" server.  
Before long, the BSA/RIAA/MPAA police will be knocking on your door, 
confiscating your computers, and fining you some exorbitant amount of 
money based on your income and savings...

And much, much more.  In other words, David is exactly right.  Running 
as root is far more dangerous than you might think--even if the data on 
that machine is unimportant.

Mike

P.S.  I don't do these things, but I'm aware that someone could do them 
on my systems if I configure them incorrectly.