[vdr] restricting root of xineliboutput mediaplayer?

Petri Hintukainen phintuka at users.sourceforge.net
Fri Nov 13 13:24:31 CET 2009


Halim Sahin wrote:
> Sorry if my question was not understood currectly.
> I don't want to run sxfe/vdr etc under a chroot env.
> My concerns are about the build-in filebrowser of xineliboutput. 
> It should be restricted to a special folder like /media.
> This whould avoid damages to the system  :-).
> More ideas?

To prevent modifying system files you should run vdr as normal user
(--user=vdr). Just don't give it write access to any other places
than /media (and /video ?). Of course this doesn't protect VDR config
files and recordings ...

For the file browser you can try attached, untested patch. Add following
line to vdr's setup.conf:
  xineliboutput.Media.RootDir=/media

Note that it is not bulletproof ; one can easily bypass the checks with
symlinks, like ln -s / /media/root.


- Petri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: media_root_dir.patch
Type: text/x-patch
Size: 2902 bytes
Desc: not available
URL: <http://www.linuxtv.org/pipermail/vdr/attachments/20091113/e9d63ec3/attachment.bin>


More information about the vdr mailing list