Hello,
the INSTALL file in the VDR source code says:
WARNING: DUE TO THE OPEN SVDRP PORT THIS PROGRAM MAY CONSTITUTE A ======= POTENTIAL SECURITY HAZARD! IF YOU ARE NOT RUNNING VDR IN A CONTROLLED ENVIRONMENT, YOU MAY WANT TO DISABLE SVDRP BY USING '--port=0'!
This is a solution, but it also makes it impossible to use svdrpsend.pl on the local VDR and so makes scripts fail, which want to send status messages to VDR and makes it impossible to to remap the power key to call "svdrpsend.pl HITK POWER".
A much better solution would be to allow to just open the SVDRP port on "localhost", so only local software is able to use it and the port is not accessible from network.
I've attached a patch, which makes the following command line a valid command line for VDR:
vdr -p 127.0.0.1:2001
Any other IP may be specified, too, for example to get VDR to listen only on one NIC on a machine with multiple NICs.
The patch is only a proof of concept. It uses a global variable to hold the IP, as this was the minimally invasive way to modify VDR. This should be modified in a final version of the patch. I'll make a nicer version, if Klaus thinks, that this feature may be interesting for VDR. The patch can be applied to VDR 1.6.0-2 with or without extensions patch and VDR 1.7.10. I didn't try 1.7.11, but most probably the patch will work there, too.
Yours
Manuel Reimer
On 08.01.2010 13:27, Manuel Reimer wrote:
Hello,
the INSTALL file in the VDR source code says:
WARNING: DUE TO THE OPEN SVDRP PORT THIS PROGRAM MAY CONSTITUTE A ======= POTENTIAL SECURITY HAZARD! IF YOU ARE NOT RUNNING VDR IN A CONTROLLED ENVIRONMENT, YOU MAY WANT TO DISABLE SVDRP BY USING '--port=0'!
This is a solution, but it also makes it impossible to use svdrpsend.pl on the local VDR and so makes scripts fail, which want to send status messages to VDR and makes it impossible to to remap the power key to call "svdrpsend.pl HITK POWER".
A much better solution would be to allow to just open the SVDRP port on "localhost", so only local software is able to use it and the port is not accessible from network.
I've attached a patch, ...
What about svdrphosts.conf?
# # svdrphosts This file describes a number of host addresses that # are allowed to connect to the SVDRP port of the Video # Disk Recorder (VDR) running on this system. # Syntax: # # IP-Address[/Netmask] #
127.0.0.1 # always accept localhost #192.168.100.0/24 # any host on the local net #204.152.189.113 # a specific host #0.0.0.0/0 # any host on any net (USE THIS WITH CARE!)
Klaus
-------- Original-Nachricht --------
Datum: Fri, 08 Jan 2010 14:57:12 +0100 Von: Klaus Schmidinger Klaus.Schmidinger@tvdr.de An: VDR Mailing List vdr@linuxtv.org Betreff: Re: [vdr] [Patch] Allow to limit SVDRP port to given IP
What about svdrphosts.conf?
It just denies someone to access. The port is still available, accessible and in worst case also attackable. IIRC it is even required to accept the connection at first, to find out the IP of the computer, which tries to access and then to drop the connection in a second step. IMHO the better way, from the security standpoint, is to get the port closed, so a potential attacker isn't able to get to it at all. Most other daemons, which open ports, allow such configuration, like cups, apache and others.
svdrphosts.conf, of course, still is needed for fine-configuration of allowed hosts (other daemons also have this), but limiting the port to localhost would be the better alternative to just disabling svdrp by setting the port to zero, as currently recommended in the INSTALL file. If someone wants to configure his system to have a minimum of ports opened to the outside world (like me), then *disabling* svdrp is never a good solution, as this breaks scripts and other external features.
The only thing, I'm unsure about, is, if we really need to specify an IP. A simple switch like "--svdrp-localhost" (or similar) would also do the job. But my first solution has the advantage, that there is no additional switch needed.
Yours
Manuel
On 08.01.2010 16:56, Manuel Reimer wrote:
-------- Original-Nachricht --------
Datum: Fri, 08 Jan 2010 14:57:12 +0100 Von: Klaus Schmidinger Klaus.Schmidinger@tvdr.de An: VDR Mailing List vdr@linuxtv.org Betreff: Re: [vdr] [Patch] Allow to limit SVDRP port to given IP
What about svdrphosts.conf?
It just denies someone to access. The port is still available, accessible and in worst case also attackable. IIRC it is even required to accept the connection at first, to find out the IP of the computer, which tries to access and then to drop the connection in a second step. IMHO the better way, from the security standpoint, is to get the port closed, so a potential attacker isn't able to get to it at all. Most other daemons, which open ports, allow such configuration, like cups, apache and others.
svdrphosts.conf, of course, still is needed for fine-configuration of allowed hosts (other daemons also have this), but limiting the port to localhost would be the better alternative to just disabling svdrp by setting the port to zero, as currently recommended in the INSTALL file. If someone wants to configure his system to have a minimum of ports opened to the outside world (like me), then *disabling* svdrp is never a good solution, as this breaks scripts and other external features.
The only thing, I'm unsure about, is, if we really need to specify an IP. A simple switch like "--svdrp-localhost" (or similar) would also do the job. But my first solution has the advantage, that there is no additional switch needed.
How about this: if svdrphosts.conf contains only one single IP number, then open the port for only that IP number. Otherwise i needs to be opened generally, anyway.
BTW: please don't CC: me - I am subscribed to the list ;-)
Klaus
Hi!
Klaus Schmidinger schrieb:
How about this: if svdrphosts.conf contains only one single IP number, then open the port for only that IP number. Otherwise i needs to be opened generally, anyway.
AFAIK one can only bind an IP socket to a local address (usually corresponding to a network interface, e.g. 127.0.0.1) or 0.0.0.0, so if I want to accept SVDRP _from_ a specific address via eth0, I have to bind to the address configured on eth0.
As I get the peer address via accept(), I can directly determine if I want to "risk" talking to (or even reading from) it, I assume VDR does exactly this by looking up the address in svdrphosts.conf.
IMHO: If there is a vulnerability that is effective when one only calls accept(), this is a problem of the OS (Kernel/libc). If one is really paranoid, there's always netfilter.
Ciao
Martin
Hello,
How about this: if svdrphosts.conf contains only one single IP number, then open the port for only that IP number. Otherwise i needs to be opened generally, anyway.
You are absolutely right!
So if svdrphosts.conf only contains "127.0.0.1" (which is the default), then the port would be opened locally, only.
I'll try to find an easy way to add this and post a new patch as soon as possible.
CU
Manuel
How about this: if svdrphosts.conf contains only one single IP number, then open the port for only that IP number. Otherwise i needs to be opened generally,
This only works if the single line in svdrphosts.conf is 127.0.0.1.
But how about this much simpler solution: if svdrphosts.conf is missing or empty, bind to localhost only. (And perhaps supply a sample svdrphosts.conf with all lines commented out.)
Olaf
On 09.01.2010 11:25, Olaf Titz wrote:
How about this: if svdrphosts.conf contains only one single IP number, then open the port for only that IP number. Otherwise i needs to be opened generally,
This only works if the single line in svdrphosts.conf is 127.0.0.1.
But how about this much simpler solution: if svdrphosts.conf is missing or empty, bind to localhost only. (And perhaps supply a sample svdrphosts.conf with all lines commented out.)
Sounds good to me. Patch welcome.
Klaus
-------- Original-Nachricht --------
Datum: Sat, 09 Jan 2010 11:25:29 +0100 Von: Olaf Titz olaf@bigred.inka.de An: vdr@linuxtv.org Betreff: Re: [vdr] [Patch] Allow to limit SVDRP port to given IP
But how about this much simpler solution: if svdrphosts.conf is missing or empty, bind to localhost only. (And perhaps supply a sample svdrphosts.conf with all lines commented out.)
In both cases it's required to parse the information in some way. As VDR already has a class to parse the file, I'll try to create a new function in there, for example with the name "LocalhostOnly" or something like this. I don't think that it's much difference, if I match for "only contains comments" or "only contains comments or 127.0.0.1". If I just match for "file missing or empty (zero bytes)", then a file with just comments is not empty even if VDR threats it as empty! Maybe it even blocks local connections, as the empty file doesn't have the whitelisting entry for 127.0.0.1!
CU
Manuel
2010/1/9 Manuel Reimer Manuel.Reimer@gmx.de:
-------- Original-Nachricht --------
Datum: Sat, 09 Jan 2010 11:25:29 +0100 Von: Olaf Titz olaf@bigred.inka.de An: vdr@linuxtv.org Betreff: Re: [vdr] [Patch] Allow to limit SVDRP port to given IP
But how about this much simpler solution: if svdrphosts.conf is missing or empty, bind to localhost only. (And perhaps supply a sample svdrphosts.conf with all lines commented out.)
In both cases it's required to parse the information in some way. As VDR already has a class to parse the file, I'll try to create a new function in there, for example with the name "LocalhostOnly" or something like this. I don't think that it's much difference, if I match for "only contains comments" or "only contains comments or 127.0.0.1". If I just match for "file missing or empty (zero bytes)", then a file with just comments is not empty even if VDR threats it as empty! Maybe it even blocks local connections, as the empty file doesn't have the whitelisting entry for 127.0.0.1!
CU
Manuel
() ascii ribbon campaign - against html mail /\ - gegen HTML-Mail answers as html mail will be deleted automatically! Antworten als HTML-Mail werden automatisch gelöscht!
Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 - sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser
vdr mailing list vdr@linuxtv.org http://www.linuxtv.org/cgi-bin/mailman/listinfo/vdr
I would prefer bind to interface option, if not specified when called by command line parameter then only bind to lo interface. Some guys require plugins that also adds svdrp commands for vdr networked clients, and remote menus etc..
-
Klaus Schmidinger -
Manuel Reimer -
Martin Emrich -
Olaf Titz -
Theunis Potgieter