Obsolete Releases > SME 8.x Contribs
SME8 Serviio Service
si_blakely:
I have been attempting to get Serviio (java based DLNA server) running on SME8. Serviio mostly works, but I am having issues with permissions/rights for the service account. This is not a HowTo yet, as I need to solve this permissions problem.
Serviio uses multicast to advertise, so requires root or some form of CAP_NET_* rights.
For security, however, I want to use a non-root account.
So, I create an ibay serviio - this creates a user/group serviio and somewhere for the Serviio php web-console.
I install OpenJDK java (yum install java-1.7.0-icedtea ffmeg --enablerepo=rpmforge)
unzip the serviio files into /opt/serviio
chown -R serviio:serviio /opt/serviio
I create a /var/service/serviio directory
touch /var/service/serviio/down
make file run containing
--- Code: ---#!/bin/sh
cd /opt/serviio
exec 2>&1
exec setuidgid serviio /opt/serviio/bin/serviio.sh
--- End code ---
Then I build the rest of the service settings. I also had to set access rights for serviio into the media library directorys (by chmod/setfacl for shared-folders).
serviio.sh just sets the java environment and classpath, and then executes java in the foreground.
This works as it stands, but the log shows errors when trying to do a multicast service advertisement, due to restrictions on multicast operations to non-root users. This stops some media devices from finding the DLNA server.
I can't figure out how to start serviio with enough rights to do multicast but without running as root (which I don't want to do). I suspect that I need to use some sort of setuid, but can't work it out.
Any thoughts?
Si
CharlieBrady:
You will probably get better response if you ask questions such as these on thee devinfo mailing list.
--- Quote from: si_blakely on April 11, 2012, 11:00:02 AM ---chown -R serviio:serviio /opt/serviio
--- End quote ---
That's probably not a good step. Only files or directories which must be written by the application should have that ownership. Your program files and the directories which contain them should be left root.root.
--- Quote ---I can't figure out how to start serviio with enough rights to do multicast but without running as root (which I don't want to do). I suspect that I need to use some sort of setuid, but can't work it out.
--- End quote ---
Have a look at sucap and execcap. Example usage and good background article here:
http://www.linuxjournal.com/article/5737?page=0,1
si_blakely:
Thanks Charlie
I'll modify the directory rights , and take a look at execcap/sucap. I knew that capabilities were involved, but I could only find programmatic examples. I could also try setpcaps once the service is running.
Simon
CharlieBrady:
--- Quote from: si_blakely on April 12, 2012, 04:48:58 PM ---I could also try setpcaps once the service is running.
--- End quote ---
You create race conditions (timing uncertainty) if you try that way.
si_blakely:
After a lot more mucking about I have found that the problem was with a denylog firewall rule on the OUTPUT chain targeting base-address.mcast.net.
I'll modify this to only target the external interface.
Capabilities look pretty broken until filesystem support in kernel 2.6.28, so I am glad that I don't have to go there yet.
Si
Navigation
[0] Message Index
[#] Next page
Go to full version