Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: MythTV: Users

Re: Ways to improve TV Out quality[Scanned]

  

 
MythTV users RSS feed   Index | Next | Previous | View Threaded


mythtv at keirstead

Jul 29, 2004, 7:53 AM

Post #1 of 6 (816 views)
Permalink
Re: Ways to improve TV Out quality[Scanned]
On July 29, 2004 11:24 am, Mark Maas wrote:
> > Functionality 1st, security 2nd in this case... sorry.
>
> You're lucky i've got a pacemaker... Or you would be hearing from my
> lawyer.
>
> BTW, what was your IP again? ;-) I already got some usernames...

I have to agree with the poster, I have my myth set up similarly.

Who cares about security in this case? What is the absolute worst that you
could do (assuming you can get onto my home LAN to log into it), erase my TV
shows? It's not like a myth box contains vital, secure data.

Auto log-in is a requirement for a useable myth setup IMO. Otherwise when the
power goes out / the box is moved / the system crashes etc etc you're stuck
at a login screen instead of a useable television. And if you are not home,
then you later on suffer the wrath of your family.

--
There are two major products that came out of Berkeley: LSD and UNIX.
We do not believe this to be a coincidence. ~Jeremy S. Anderson
_______________________________________________
mythtv-users mailing list
mythtv-users [at] mythtv
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users


myth at dgreaves

Jul 29, 2004, 8:36 AM

Post #2 of 6 (793 views)
Permalink
Re: Ways to improve TV Out quality[Scanned] [In reply to]
Jason Keirstead wrote:
> On July 29, 2004 11:24 am, Mark Maas wrote:
>
>>>Functionality 1st, security 2nd in this case... sorry.
>>
>>You're lucky i've got a pacemaker... Or you would be hearing from my
>>lawyer.
>>
>>BTW, what was your IP again? ;-) I already got some usernames...
>
>
> I have to agree with the poster, I have my myth set up similarly.
>
> Who cares about security in this case? What is the absolute worst that you
> could do (assuming you can get onto my home LAN to log into it), erase my TV
> shows? It's not like a myth box contains vital, secure data.
>
> Auto log-in is a requirement for a useable myth setup IMO. Otherwise when the
> power goes out / the box is moved / the system crashes etc etc you're stuck
> at a login screen instead of a useable television. And if you are not home,
> then you later on suffer the wrath of your family.
>

Agreed - but if someone doesn't know enough to make autologin work then
I'd question the security of anything else that someone set up -
including a firewall ;)

I think that when you start just hammering at problems (with root
privileges in this case) you may end up with a system that works today
but it isn't a 'proper' solution and if you continue to build on it then
you'll get bitten later - maybe when you set it up to connect to your
server to display your digital photos and *they* get blatted 'cos you
forgot a root_squash on the nfs mount?

I'd suggest running KnoppMyth if you can't/don't want to setup a generic
linux system. It has 'behave like an appliance' as a core objective; as
a result, things like autologin 'just work'.

David


mtdean at thirdcontact

Jul 29, 2004, 11:13 AM

Post #3 of 6 (798 views)
Permalink
Re: Ways to improve TV Out quality[Scanned] [In reply to]
David wrote:

> I think that when you start just hammering at problems (with root
> privileges in this case) you may end up with a system that works
> today but it isn't a 'proper' solution and if you continue to build on
> it then you'll get bitten later - maybe when you set it up to connect
> to your server to display your digital photos and *they* get blatted
> 'cos you forgot a root_squash on the nfs mount?

Who needs root squash? If I've got root access on the Myth box, I can
do an ls -an on an NFS share, find the UID/GID of a user who has access
to the photos (or OpenOffice docs or GNUCash data or whatever), create a
user/group on the Myth box with proper ID's, and rm -rf the photos. NFS
security is implemented using filesystem permissions; therefore, only
UID/GID (not even username/group name) are checked to determine access
rights. Root squash only protects files owned by root on the NFS share
(and, most likely, there aren't many of those on a share), but it's
still something you should use.

Also, once I've got write access to some directory I can do things like
dd if=/dev/zero of=/mnt/sharename/some/buried/directory/.swp bs=64k to
fill up the NFS share partition, which can cause problems for other
services (including the Myth box) that use the share. And, if the
filesystem was created without reserved space (for root) and if it
contains the root partition, it could even crash the server.

Then there's changing the usernames/group names/passwords on the Myth
box (assuming you haven't set up all authentication on a separate
server) or the ownership/permissions of files on that box. That would
make it much more difficult for you to clean up my mess. Although your
autologin as root would ensure you have permission to fix the problems,
the hard part would be finding the mess to clean up.

All the above, though, is very destructive--and likely to cause you to
notice the problems--so how about we look at a more constructive use of
root access? I could set up a custom mini-web server (called
mythbackend or mythcommflag, of course, so it doesn't look out of place)
that distributes illegal copies of software, MP3's, or even the TV shows
you record and the music you store in MythMusic, but--to prevent you
from finding anything I add or deleting anything you put there (after
all, just because you watched West Wing doesn't mean that everyone else
in the mIRC channel has seen it)--I'll have the web server grab a
filehandle to the files (and make sure I delete the ones I add so you
don't find them). The filesystem won't remove the files until all
filehandles are released, so they don't appear in your directories
(you'd have to find them in /proc or /sys), but they're still available
for serving. Now, I've got free, non-attribution storage and bandwidth
available thanks to your allowing me in to your "unimportant" server.
Before long, the BSA/RIAA/MPAA police will be knocking on your door,
confiscating your computers, and fining you some exorbitant amount of
money based on your income and savings...

And much, much more. In other words, David is exactly right. Running
as root is far more dangerous than you might think--even if the data on
that machine is unimportant.

Mike

P.S. I don't do these things, but I'm aware that someone could do them
on my systems if I configure them incorrectly.
_______________________________________________
mythtv-users mailing list
mythtv-users [at] mythtv
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users


mythtv at ml

Jul 30, 2004, 1:34 AM

Post #4 of 6 (785 views)
Permalink
Re: Ways to improve TV Out quality[Scanned] [In reply to]
Jason Keirstead <mythtv [at] keirstead> uttered the following thing:
> On July 29, 2004 11:24 am, Mark Maas wrote:
> > > Functionality 1st, security 2nd in this case... sorry.
> >
> > You're lucky i've got a pacemaker... Or you would be hearing from my
> > lawyer.
> >
> > BTW, what was your IP again? ;-) I already got some usernames...
>
> I have to agree with the poster, I have my myth set up similarly.
>
> Who cares about security in this case? What is the absolute worst that you
> could do (assuming you can get onto my home LAN to log into it), erase my TV
> shows? It's not like a myth box contains vital, secure data.

This is not the attitude to use for computer security.

If someone manages to get into a box of yours, sure they may be nothing
on the box you care about, but what about attackers who launch attacks
from your box? Spammers are sending most spam from people whose boxes
are insecure because 'they have nothing important', but you're seeing
the results of this lax security in your mailbox.

Always ensure that any system is secure, no matter how uninteresting the
data is. What if your ISP cuts you off for abuse?

If you must have a mythtv box configured like this, then _please_ do the
net a favour and make sure no one can get in from the network. Physical
security isnt important in most situations (mythtv boxes tend to be at
home), but network security is vital for everything.

--
Ben Buxton - Random Network Person


garry at sneakyninja

Jul 30, 2004, 2:16 AM

Post #5 of 6 (790 views)
Permalink
Re: Re: Ways to improve TV Out quality[Scanned] [In reply to]
Ben Buxton wrote:

>Jason Keirstead <mythtv [at] keirstead> uttered the following thing:
>
>
>>On July 29, 2004 11:24 am, Mark Maas wrote:
>>
>>
>>>>Functionality 1st, security 2nd in this case... sorry.
>>>>
>>>>
>>>You're lucky i've got a pacemaker... Or you would be hearing from my
>>>lawyer.
>>>
>>>BTW, what was your IP again? ;-) I already got some usernames...
>>>
>>>
>>I have to agree with the poster, I have my myth set up similarly.
>>
>>Who cares about security in this case? What is the absolute worst that you
>>could do (assuming you can get onto my home LAN to log into it), erase my TV
>>shows? It's not like a myth box contains vital, secure data.
>>
>>
>
>This is not the attitude to use for computer security.
>
>If someone manages to get into a box of yours, sure they may be nothing
>on the box you care about, but what about attackers who launch attacks
>from your box? Spammers are sending most spam from people whose boxes
>are insecure because 'they have nothing important', but you're seeing
>the results of this lax security in your mailbox.
>
>Always ensure that any system is secure, no matter how uninteresting the
>data is. What if your ISP cuts you off for abuse?
>
>If you must have a mythtv box configured like this, then _please_ do the
>net a favour and make sure no one can get in from the network. Physical
>security isnt important in most situations (mythtv boxes tend to be at
>home), but network security is vital for everything.
>
>
>
At the risk of wandering O.T, I feel a reply is needed :-)

It's all about balance.

Whilst reading back on my posts I sound ever so slightly clueless, I'm
not quite as dumb as I sound.

Back when I was adminning AS/400's running financial systems, security
was top priority, screw the inconvienience. On the server now running my
mail server and hosting my website, yes, security is a concern so it's
ssh only, restricted access and another firewall. And on my Linux
desktop, I log in as myself and sudo root when nessesary, and only then.
(I am well aware of the damage root can do)

Regarding my firewall, no I didn't set that up myself. I recognised the
fact that my knowledge wasn't deep enough, and a Linux Admin friend of
mine was kind enough to sort that for me. (regular patches applied, no
remote root login etc)

As for the Myth machine, it records locally and reads video files from
another machine, which has a read only NFS share on it. It runs only
enough to support Myth and is only accessible from the outside via port
forwarding on the Firewall (to a nonstandard port, then .htaccess).
Local usage is via IR remote only, and if someone can get to the
keyboard, I've got bigger things to worry about.

But that being said, Myth is complicated enough to set up without
security and permission hassles, so a little root access, and some chmod
777's smooth the way :-)

(Could be worse, I could run IIS :-D )

-Garry.


hamish at cloud

Jul 30, 2004, 2:49 AM

Post #6 of 6 (798 views)
Permalink
Re: Ways to improve TV Out quality[Scanned] [In reply to]
On Thu, Jul 29, 2004 at 11:53:20AM -0300, Jason Keirstead wrote:
> Auto log-in is a requirement for a useable myth setup IMO.

Yep, but auto log-in to the root account isn't.


Hamish
--
Hamish Moffatt VK3SB <hamish [at] debian> <hamish [at] cloud>

MythTV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.