[mythtv-users] Re: running mythbackend as root (was: Mythweb says I have 75 out of 72 Gigs used)

Axel Thimm Axel.Thimm at physik.fu-berlin.de
Wed Feb 18 19:42:48 EST 2004


On Wed, Feb 18, 2004 at 02:40:43PM -0800, Chris Petersen wrote:
> > Why should mythbackend have to chuser itself?  Just don't run it as 
> > root.  There's no need to.  If you have permissions problems you need 
> > to solve them.  Running as root is not an advisable solution.
> 
> well, last I remembered, people were having a number of problems running
> myth under redhat as a non-root user, which is why Axel's init.d script
> doesn't su the mythbackend execution like the debian stuff apparently
> does.

The problem is less a technical one, than one of setting
policies. Under Red Hat/Fedora ceratin devices are expected to be
owned by the current desktop user, i.e. ownership/modes get set at
login time. See also console.perms(5).

This means that in the default settings the currently logged in user
gets ownership over the devices mythbackend uses. If mythbackend runs
as an unpriviledged user it loses access to these devices (or has read
only access).

So either one lets the backend run as root or one can tune the
permissions of /etc/security/console.perms. Doing the latter
automatically from an rpm install looked too invasive (and
maintainersome) for me, so feel free to switch to a mythtv user
adapting this file as required.

Debian has groups for solving this. So the current logged in user and
mythtv have the same access rights, nobody can lock out the other, but
both can steal resources (like switching channels from a non-myth
app).

It all boils down to policies, and who am I to change Red Hat's or
Debian's policies ;)

> I'm happy to do things either way - but having mythbackend START as
> root, and then chuser itself would allow it to make sure that it has the
> proper permissions (correcting as necessary) before it turns itself into
> a lesser userid.

You can chown the devices and start right as the mythtv user, if you
are sure nobody will change the ownership/permission back (even
implicitly by simply logging in).
-- 
Axel.Thimm at physik.fu-berlin.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mythtv.org/pipermail/mythtv-users/attachments/20040219/21969980/attachment.pgp


More information about the mythtv-users mailing list