[mythtv] non-root myth under Red Hat (was: unprivileged user?)

[Axel Thimm]

Hi,

On Mon, Aug 11, 2003 at 10:08:11PM -0400, Matt Zimmerman wrote:
> On Mon, Aug 11, 2003 at 06:34:19PM -0700, Chris Petersen wrote:
> 
> > call me a security nut, but wouldn't it be a good idea for myth to
> > chuser on startup to something of its own?  Would prevent some nasty
> > system problems for those of us who've been running myth as root via
> > sysV startup scripts - that way, myth couldn't write to the reserved
> > file system blocks and overload the machine.
> > 
> > Anyway, I'm going to at least go modify my sysV script for now.  But
> > it'd be cool if myth did this on its own.
> 
> There is no reason whatsoever to run any part of mythtv as root in the first
> place (the debs don't), so I don't think it's necessary to have myth itself
> try to switch to another user.  Just start it as the user that you want to
> run it as.

Unfortunately the Red Hat ownership and permission model is an
obstacle here. Some of the required devices for myth are hijacked at
login time by the desktop user, so a mythtv user (which exists in the
Red Hat packages BTW) would suddenly loose permissions on the devices
when someone logs in on the desktop of a backend machine.

There is a configuration file that can be tuned for that, but it is
owned by core Red Hat packages and I hesitate to replace those
packages.

I cannot come up with a static ownership/permissions setup (e.g. the
same devices could be used by mythtv or another application running as
the desktop user).

How does debian solve this? IIRC there are audio and video groups, but
how does it work? How is concurrent access to capture devices managed?
-- 
Axel.Thimm at physik.fu-berlin.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mythtv.org/pipermail/mythtv-dev/attachments/20030821/40170740/attachment.bin