wiki:SecurityDebian2

Security for Debian Based Distributions 2

Earlier Version

This hopefully limits the run time to one hour, disk usage to 100MB, write access to /home/shepherd, processes limit to 20 and increase latency with nice. Maybe also limits cpu time to one hour, limit memory to 200k and create file size limited to 20MB but these might not work. It also uses a restricted shell.

It would be nice if it was possible to limit cpu % with maybe usleeps for frame capture devices, limit read access / programs executable without a chroot jail, disk quota for diskusage and limit network usage.


Save following as tv_grab_au

#!/bin/bash
# Copyright 2007 Paul Andreassen

# Test with: nice mythfilldatabase --update --graboptions "--quiet" >> /var/log/mythtv/filldatabase.log 2>&1
# Stop with: sudo /usr/bin/pkill -U shepherd

# mythfilldatabase Arguments: --update --graboptions "--quiet"
# mythfilldatabase Log Path: /var/log/mythtv/filldatabase.log

# /etc/sudoers:mythtv  ALL=(ALL) NOPASSWD: /usr/bin/pkill -U shepherd, /usr/bin/pkill -9 -U shepherd, /bin/su - shepherd -s /bin/rbash -c *

# For freetv only set SCALE=1 but for freetv and paytv set SCALE=4
SCALE=1
MAX_EXECUTE_TIME_SECONDS=$(( $SCALE *   4 *   60 *   60 ))
MAX_CPU_TIME=$((             $SCALE *  60 *   60 ))
MAX_MEMORY_RESIDENT=$((      $SCALE * 200 * 1024 ))
MAX_MEMORY_VIRTUAL=$((       $SCALE * 400 * 1024 ))
MAX_DISK_SPACE_KB=$((        $SCALE * 100 * 1024 ))
MAX_FILES_CREATED_SIZE=$((   $SCALE *  20 * 1024 ))
MAX_PROCESSES=20
TIME_PROGRAM=/usr/bin/time
DISABLED_FILE=/var/lib/mythtv/shepherd.disabled
SHEPHERD_OUTPUT=/home/shepherd/.shepherd/output.xmltv

if [ -f $DISABLED_FILE ]; then 
  echo "tv_grab_au: Not executing Shepherd because disabled file exists!"
  exit 1
fi

if pgrep -U shepherd > /dev/null; then
  echo "tv_grab_au: Not executing Shepherd because already running!"
  exit 2
fi

# User shepherd can't write to user mythtv's output file.
for PARAM; do
  if [ "$TVGRABAU_OUTPUT_NEXT" = "" ]; then
    if [ "$PARAM" != "--output" ]; then
      SHEPHERD_PARAMS="$SHEPHERD_PARAMS $PARAM"
    else
      TVGRABAU_OUTPUT_NEXT=TRUE
    fi
  else
    TVGRABAU_OUTPUT=$PARAM
    TVGRABAU_OUTPUT_NEXT=
  fi
done

SHELL_PID=$$
Max_Execute_Time_Check ()
{
  sleep $MAX_EXECUTE_TIME_SECONDS
  if ps -p $SHELL_PID &>/dev/null && pgrep -U shepherd &> /dev/null; then
    echo "tv_grab_au: Killing Shepherd because running to long!"
    touch $DISABLED_FILE
    sudo /usr/bin/pkill -U shepherd
    sleep 10
    sudo /usr/bin/pkill -9 -U shepherd
  fi
}
Max_Execute_Time_Check &
TIME_CHECK_PID=$!

EXECUTE_SHEPHERD="alias ls=exit
savelog -c 9 -n -q $SHEPHERD_OUTPUT
ulimit -t $MAX_CPU_TIME -m $MAX_MEMORY_RESIDENT -v $MAX_MEMORY_VIRTUAL -f $MAX_FILES_CREATED_SIZE -u $MAX_PROCESSES
/home/shepherd/.shepherd/shepherd $SHEPHERD_PARAMS"
$TIME_PROGRAM nice sudo /bin/su - shepherd -s /bin/rbash -c "$EXECUTE_SHEPHERD"
EXIT=$?

kill $TIME_CHECK_PID &> /dev/null
sleep 2
kill -n 9 $TIME_CHECK_PID &> /dev/null

if [ "$TVGRABAU_OUTPUT" != "" ]; then
  if [ -f $SHEPHERD_OUTPUT ]; then 
    cp $SHEPHERD_OUTPUT $TVGRABAU_OUTPUT
  elif [ -f ${SHEPHERD_OUTPUT}.0 ]; then 
    cp ${SHEPHERD_OUTPUT}.0 $TVGRABAU_OUTPUT
  else
    echo "tv_grab_au: Can't find Shepherd output file!"
  fi
fi

SIZE=$(du -s -B 1024 /home/shepherd/)
SIZE=${SIZE%%/*}
if (( $SIZE > $MAX_DISK_SPACE_KB )); then
  echo "tv_grab_au: Disabling Shepherd because using to much disk space!"
  touch $DISABLED_FILE
fi

if (( $EXIT != 0 )); then
  echo "tv_grab_au: Disabling Shepherd because error exited!"
  touch $DISABLED_FILE
fi

exit $EXIT

For Debian install sudo

su
apt-get install sudo

and everyone then

sudo -i
adduser --system --group --disabled-password --shell /bin/sh shepherd
su - shepherd
wget http://www.whuffy.com/shepherd/shepherd
perl shepherd

Configure shepherd.

rm shepherd
exit
echo -e '\nmythtv  ALL=(ALL) NOPASSWD: /usr/bin/pkill -U shepherd, /usr/bin/pkill -9 -U shepherd, /bin/su - shepherd -s /bin/rbash -c *\n' >> /etc/sudoers
cp tv_grab_au /usr/local/bin/tv_grab_au
rm /etc/cron.daily/mythtv-backend

In mythfrontend Utilities/Setup? -> Setup -> General -> Next -> Next -> Next -> Next -> Next -> Next

Select: Automatically run mythfilldatabase
mythfilldatabase Path: mythfilldatabase
mythfilldatabase Arguments: --update --graboptions "--quiet"
mythfilldatabase Log Path: /var/log/mythtv/filldatabase.log
mythfilldatabase Run Frequency (Days): 1
mythfilldatabase Execution Start: 6
mythfilldatabase Execution End: 10
Unselect: Run mythfilldatabase at time suggested by the grabber.

Test it with

su - mythtv
nice mythfilldatabase --update --graboptions "--quiet" >> /var/log/mythtv/filldatabase.log 2>&1

To stop it at any time

sudo /usr/bin/pkill -U shepherd