Koozali.org formerly Contribs.org

SME8 Serviio Service

SME8 Serviio Service
« on: April 11, 2012, 11:00:02 AM »
I have been attempting to get Serviio (java based DLNA server) running on SME8. Serviio mostly works, but I am having issues with permissions/rights for the service account. This is not a HowTo yet, as I need to solve this permissions problem.

Serviio uses multicast to advertise, so requires root or some form of CAP_NET_* rights.
For security, however, I want to use a non-root account.

So, I create an ibay serviio - this creates a user/group serviio and somewhere for the Serviio php web-console.

I install OpenJDK java (yum install java-1.7.0-icedtea ffmeg --enablerepo=rpmforge)
unzip the serviio files into /opt/serviio

chown -R serviio:serviio /opt/serviio

I create a /var/service/serviio directory
touch /var/service/serviio/down

make file run containing
Code: [Select]
#!/bin/sh
cd /opt/serviio
exec 2>&1
exec setuidgid serviio /opt/serviio/bin/serviio.sh

Then I build the rest of the service settings. I also had to set access rights for serviio into the media library directorys (by chmod/setfacl for shared-folders).

serviio.sh just sets the java environment and classpath, and then executes java in the foreground.

This works as it stands, but the log shows errors when trying to do a multicast service advertisement, due to restrictions on multicast operations to non-root users. This stops some media devices from finding the DLNA server.
I can't figure out how to start serviio with enough rights to do multicast but without running as root (which I don't want to do). I suspect that I need to use some sort of setuid, but can't work it out.

Any thoughts?

Si

Re: SME8 Serviio Service
« Reply #1 on: April 12, 2012, 03:07:11 PM »
You will probably get better response if you ask questions such as these on thee devinfo mailing list.

chown -R serviio:serviio /opt/serviio

That's probably not a good step. Only files or directories which must be written by the application should have that ownership. Your program files and the directories which contain them should be left root.root. 

Quote
I can't figure out how to start serviio with enough rights to do multicast but without running as root (which I don't want to do). I suspect that I need to use some sort of setuid, but can't work it out.

Have a look at sucap and execcap. Example usage and good background article here:

http://www.linuxjournal.com/article/5737?page=0,1

Re: SME8 Serviio Service
« Reply #2 on: April 12, 2012, 04:48:58 PM »
Thanks Charlie

I'll modify the directory rights , and take a look at execcap/sucap. I knew that capabilities were involved, but I could only find programmatic examples. I could also try setpcaps once the service is running.

Simon

Re: SME8 Serviio Service
« Reply #3 on: April 12, 2012, 06:44:46 PM »
I could also try setpcaps once the service is running.

You create race conditions (timing uncertainty) if you try that way.

Re: SME8 Serviio Service
« Reply #4 on: April 13, 2012, 12:10:21 PM »
After a lot more mucking about I have found that the problem was with a denylog firewall rule on the OUTPUT chain targeting base-address.mcast.net.

I'll modify this to only target the external interface.

Capabilities look pretty broken until filesystem support in kernel 2.6.28, so I am glad that I don't have to go there yet.

Si


Re: SME8 Serviio Service
« Reply #5 on: April 13, 2012, 02:19:52 PM »
Capabilities look pretty broken until filesystem support in kernel 2.6.28, so I am glad that I don't have to go there yet.

AFAIK, sucap/execcap do not depend on filesystem capability support.