[mythtv-users] Ways to improve TV Out quality[Scanned]
Michael T. Dean
mtdean at thirdcontact.com
Thu Jul 29 14:13:42 EDT 2004
David wrote:
> I think that when you start just hammering at problems (with root
> privileges in this case) you may end up with a system that works
> today but it isn't a 'proper' solution and if you continue to build on
> it then you'll get bitten later - maybe when you set it up to connect
> to your server to display your digital photos and *they* get blatted
> 'cos you forgot a root_squash on the nfs mount?
Who needs root squash? If I've got root access on the Myth box, I can
do an ls -an on an NFS share, find the UID/GID of a user who has access
to the photos (or OpenOffice docs or GNUCash data or whatever), create a
user/group on the Myth box with proper ID's, and rm -rf the photos. NFS
security is implemented using filesystem permissions; therefore, only
UID/GID (not even username/group name) are checked to determine access
rights. Root squash only protects files owned by root on the NFS share
(and, most likely, there aren't many of those on a share), but it's
still something you should use.
Also, once I've got write access to some directory I can do things like
dd if=/dev/zero of=/mnt/sharename/some/buried/directory/.swp bs=64k to
fill up the NFS share partition, which can cause problems for other
services (including the Myth box) that use the share. And, if the
filesystem was created without reserved space (for root) and if it
contains the root partition, it could even crash the server.
Then there's changing the usernames/group names/passwords on the Myth
box (assuming you haven't set up all authentication on a separate
server) or the ownership/permissions of files on that box. That would
make it much more difficult for you to clean up my mess. Although your
autologin as root would ensure you have permission to fix the problems,
the hard part would be finding the mess to clean up.
All the above, though, is very destructive--and likely to cause you to
notice the problems--so how about we look at a more constructive use of
root access? I could set up a custom mini-web server (called
mythbackend or mythcommflag, of course, so it doesn't look out of place)
that distributes illegal copies of software, MP3's, or even the TV shows
you record and the music you store in MythMusic, but--to prevent you
from finding anything I add or deleting anything you put there (after
all, just because you watched West Wing doesn't mean that everyone else
in the mIRC channel has seen it)--I'll have the web server grab a
filehandle to the files (and make sure I delete the ones I add so you
don't find them). The filesystem won't remove the files until all
filehandles are released, so they don't appear in your directories
(you'd have to find them in /proc or /sys), but they're still available
for serving. Now, I've got free, non-attribution storage and bandwidth
available thanks to your allowing me in to your "unimportant" server.
Before long, the BSA/RIAA/MPAA police will be knocking on your door,
confiscating your computers, and fining you some exorbitant amount of
money based on your income and savings...
And much, much more. In other words, David is exactly right. Running
as root is far more dangerous than you might think--even if the data on
that machine is unimportant.
Mike
P.S. I don't do these things, but I'm aware that someone could do them
on my systems if I configure them incorrectly.
More information about the mythtv-users
mailing list