Starting vlc-0.9.0 as root

*nix specific usage questions
Gujs
Blank Cone
Blank Cone
Posts: 74
Joined: 22 Oct 2004 19:28

Starting vlc-0.9.0 as root

Postby Gujs » 18 Jul 2008 14:26

Hello,

Need some help with starting vlc with root user. I tried this:

Code: Select all

vlc -vvv VLC is not supposed to be run as root. Sorry. If you need to use real-time priorities and/or privileged TCP ports you can use /usr/bin/vlc-wrapper (make sure it is Set-UID root first and cannot be run by non-trusted users first).
And then I tried:

Code: Select all

vlc-wrapper -vvv Cannot determine unprivileged user for VLC!
Can somebody help me enable root user to be able starting vlc.

Thanks,
Gregor

kmf31
Cone that earned his stripes
Cone that earned his stripes
Posts: 308
Joined: 11 Mar 2007 21:47

Re: Starting vlc-0.9.0 as root

Postby kmf31 » 18 Jul 2008 20:36

Why do you need to run vlc as root ?

Do you call vlc-wrapper as "root" or a simple "user" ? I think you should do the second and then vlc will have eventual root-priviliges (if you really need them and provided that vlc-wrapper is indeed setuid).

Gujs
Blank Cone
Blank Cone
Posts: 74
Joined: 22 Oct 2004 19:28

Re: Starting vlc-0.9.0 as root

Postby Gujs » 18 Jul 2008 23:12

Do you know how to setuid for starting vlc with vlc-wrapper?

silencer
New Cone
New Cone
Posts: 1
Joined: 19 Jul 2008 04:08

Re: Starting vlc-0.9.0 as root

Postby silencer » 19 Jul 2008 04:21

I would like to know it too.

I need to execute vlc as root because, well... I always use the root account (I know, I know, I shouldn't :))

greets! :)
silencer

Gujs
Blank Cone
Blank Cone
Posts: 74
Joined: 22 Oct 2004 19:28

Re: Starting vlc-0.9.0 as root

Postby Gujs » 21 Jul 2008 09:44

For now I just compiled vlc with this code commented out from source in src/vlc.c file:

Code: Select all

/* if (geteuid () == 0) { fprintf (stderr, "VLC is not supposed to be run as root. Sorry.\n" "If you need to use real-time priorities and/or privileged TCP ports\n" "you can use %s-wrapper (make sure it is Set-UID root first and\n" "cannot be run by non-trusted users first).\n", ppsz_argv[0]); return 1; } */
This is just temporary solution until I find out how to use vlc-wrapper.

Regards,
Gregor

xtophe
Big Cone-huna
Big Cone-huna
Posts: 1209
Joined: 24 Nov 2003 10:12
Location: Bristol, England

Re: Starting vlc-0.9.0 as root

Postby xtophe » 21 Jul 2008 13:06

for setuid, see the manual of chmod.

for the use of vlc-wrapper i think it's supposed to be used from sudo.
So as a normal user: sudo vlc-wrapper ....

if you launch it as root you can also try to use the VLC_USER environement variable

hth,
Xtophe

gjs278
New Cone
New Cone
Posts: 4
Joined: 01 Aug 2008 07:31

Re: Starting vlc-0.9.0 as root

Postby gjs278 » 01 Aug 2008 07:34

This was a pretty stupid idea on VLC's part. I really don't care about the security risks of using a video player on my root account, if I want to. Feel free to warn me. I don't see any reason in preventing me from doing it though. Seriously, stick with making video players, preach to me later. Linux is supposed to be all about choice, and right now you've really limited me.

Rémi Denis-Courmont
Developer
Developer
Posts: 15265
Joined: 07 Jun 2004 16:01
VLC version: master
Operating System: Linux
Contact:

Re: Starting vlc-0.9.0 as root

Postby Rémi Denis-Courmont » 02 Aug 2008 19:20

This was a pretty stupid idea on VLC's part.
The only stupid idea is yours.

Code: Select all

I really don't care about the security risks of using a video player on my root account,
Yeah, and we do care that our users do not expose themselves to needless security risks, and that they do not expose others as well. Without reckless users, we would not have botnets, you know. Besides, this is common industry practice (try to run Apache with "User root" for instance).
Rémi Denis-Courmont
https://www.remlab.net/
Private messages soliciting support will be systematically discarded

gjs278
New Cone
New Cone
Posts: 4
Joined: 01 Aug 2008 07:31

Re: Starting vlc-0.9.0 as root

Postby gjs278 » 05 Aug 2008 04:26

Yeah, and we do care that our users do not expose themselves to needless security risks, and that they do not expose others as well. Without reckless users, we would not have botnets, you know. Besides, this is common industry practice (try to run Apache with "User root" for instance).
Then why do you allow this thread to even exist? A user clearly pointed out the code to remove to get rid of your "feature", wouldn't that be putting the precious users at risk!? Imagine all the vicious bits and bytes going through his and everyone who followed his directions computers. Please put a stop to this!

Your Apache example doesn't work that well, it chooses to WARN you instead of completely stopping you. It clearly tells you a way to get around the root warning.

"If you still desire to serve pages as root then\n\tadd -DBIG_SECURITY_HOLE to the CFLAGS env variable"

VLC just tells me "I'm sorry captain, that is against my directive." While I appreciate your concerns for my security, and understand the risks of running as a root account, I don't see why you have to block me from doing something when a warning would just be good enough. Any problems (there won't be any) that result after that you can just blame on me.

Jean-Baptiste Kempf
Site Administrator
Site Administrator
Posts: 37523
Joined: 22 Jul 2005 15:29
VLC version: 4.0.0-git
Operating System: Linux, Windows, Mac
Location: Cone, France
Contact:

Re: Starting vlc-0.9.0 as root

Postby Jean-Baptiste Kempf » 05 Aug 2008 05:23

I don't like this thread, at all. I don't like the tone used here.

VLC must not be started as root for many reasons, security wise.

VLC hasn't had the same security audits that apache had. Therefore, as we don't want to be blame for those issues, we block the launch of VLC as root.
We are doing the support and this is difficult for us.

If you don't like this policy, then recompile your VLC to match this. If you don't like that this isn't mainline, then help us.

If you have a good reason to start VLC as root, I am all hears.
Jean-Baptiste Kempf
http://www.jbkempf.com/ - http://www.jbkempf.com/blog/category/Videolan
VLC media player developer, VideoLAN President and Sites administrator
If you want an answer to your question, just be specific and precise. Don't use Private Messages.

gjs278
New Cone
New Cone
Posts: 4
Joined: 01 Aug 2008 07:31

Re: Starting vlc-0.9.0 as root

Postby gjs278 » 05 Aug 2008 11:13

I don't like this thread, at all. I don't like the tone used here.

VLC must not be started as root for many reasons, security wise.

VLC hasn't had the same security audits that apache had. Therefore, as we don't want to be blame for those issues, we block the launch of VLC as root.
We are doing the support and this is difficult for us.

If you don't like this policy, then recompile your VLC to match this. If you don't like that this isn't mainline, then help us.

If you have a good reason to start VLC as root, I am all hears.
I have recompiled it and applied the changes. The only issue I have with that now is that VLC is out of my package manager and I won't receive updates, possibly important to security, in a timely fashion unless I manually check.

I'll be honest with you guys. It's a media player. I use it to play video formats that mplayer doesn't support right away and for streaming/dj purposes. I'm not running .m3u's filled with shellcode that'll cause buffer overflows that could potentially leave remote access to my pc even though that wouldn't get past the router firewall, I just want to play a couple of videos.

I appreciate your concern concerning me running my root account. It's a personal machine. I'm not running a server powering the user accounts for hundreds of web hosts, I'm just doing day to day stuff. I happen to dislike using sudo and having to type in my password every 30 minutes or whatever. I make system changes routinely and don't want to get stuck editing a file in the middle of vi only to find out I forgot to sudo it and will have to do that now.

Nobody goes on this machine but me. If a super exploit hits me through VLC, you guys can say I told you so. But so far, two years of running basically any application that I feel like under root has caused me no trouble. I have more than enough backups split across computers in my house to feel safe, and I would keep backing things up regardless if I'm root or a user account.

Would you guys block VLC from working on an administrator account in Windows? That's essentially what I'm doing on my machine. Of course you wouldn't. Basically all of your Window users are on admin accounts, that would be too unpopular. In that situation you could always tell the user to fix the code themselves, but this shouldn't be about only making options known to the knowledgeable. Someone who doesn't understand C code or compiling would be stuck right now in my situation.

At the least, there should be an opt-out for this "feature" short of recompiling the code.

Rémi Denis-Courmont
Developer
Developer
Posts: 15265
Joined: 07 Jun 2004 16:01
VLC version: master
Operating System: Linux
Contact:

Re: Starting vlc-0.9.0 as root

Postby Rémi Denis-Courmont » 05 Aug 2008 16:56

We have been warning about not using root for several years. We meant it. Too many people have failed to take the warning into account, just because they could not be bothered to fix their configuration. If you need to access devices, put your non-privileged user into the right group. If you need to open files, fix the file or file systems permissions (you have root access anyway, right). If you need the HTTP, RTSP or HTTP/TLS port, use the vlc-wrapper. Same thing if you need real-time priorities (which probably do not work right anyway, except on OSX).

If VLC does not work as non-root, either your distro or your configuration is broken. Put the blame where it belongs. Not here.
Rémi Denis-Courmont
https://www.remlab.net/
Private messages soliciting support will be systematically discarded

Jean-Baptiste Kempf
Site Administrator
Site Administrator
Posts: 37523
Joined: 22 Jul 2005 15:29
VLC version: 4.0.0-git
Operating System: Linux, Windows, Mac
Location: Cone, France
Contact:

Re: Starting vlc-0.9.0 as root

Postby Jean-Baptiste Kempf » 05 Aug 2008 18:57

I don't like this thread, at all. I don't like the tone used here.

VLC must not be started as root for many reasons, security wise.

VLC hasn't had the same security audits that apache had. Therefore, as we don't want to be blame for those issues, we block the launch of VLC as root.
We are doing the support and this is difficult for us.

If you don't like this policy, then recompile your VLC to match this. If you don't like that this isn't mainline, then help us.

If you have a good reason to start VLC as root, I am all hears.
I have recompiled it and applied the changes. The only issue I have with that now is that VLC is out of my package manager and I won't receive updates, possibly important to security, in a timely fashion unless I manually check.

I'll be honest with you guys. It's a media player. I use it to play video formats that mplayer doesn't support right away and for streaming/dj purposes. I'm not running .m3u's filled with shellcode that'll cause buffer overflows that could potentially leave remote access to my pc even though that wouldn't get past the router firewall, I just want to play a couple of videos.

I appreciate your concern concerning me running my root account. It's a personal machine. I'm not running a server powering the user accounts for hundreds of web hosts, I'm just doing day to day stuff. I happen to dislike using sudo and having to type in my password every 30 minutes or whatever. I make system changes routinely and don't want to get stuck editing a file in the middle of vi only to find out I forgot to sudo it and will have to do that now.

Nobody goes on this machine but me. If a super exploit hits me through VLC, you guys can say I told you so. But so far, two years of running basically any application that I feel like under root has caused me no trouble. I have more than enough backups split across computers in my house to feel safe, and I would keep backing things up regardless if I'm root or a user account.

Would you guys block VLC from working on an administrator account in Windows? That's essentially what I'm doing on my machine. Of course you wouldn't. Basically all of your Window users are on admin accounts, that would be too unpopular. In that situation you could always tell the user to fix the code themselves, but this shouldn't be about only making options known to the knowledgeable. Someone who doesn't understand C code or compiling would be stuck right now in my situation.

At the least, there should be an opt-out for this "feature" short of recompiling the code.
You didn't answer why you need VLC as root...

Moreover, VLC is not 'just a media player', it is a network stream player, a server, a streamer and a transcoder and therefore dangerous for your security.
Jean-Baptiste Kempf
http://www.jbkempf.com/ - http://www.jbkempf.com/blog/category/Videolan
VLC media player developer, VideoLAN President and Sites administrator
If you want an answer to your question, just be specific and precise. Don't use Private Messages.

gjs278
New Cone
New Cone
Posts: 4
Joined: 01 Aug 2008 07:31

Re: Starting vlc-0.9.0 as root

Postby gjs278 » 06 Aug 2008 01:45

If VLC does not work as non-root, either your distro or your configuration is broken. Put the blame where it belongs. Not here.
That's not a problem at all for me. In fact, VLC would work perfectly on a user account. Except when I turn on my machine, I login to the root account. VLC would work just as well under the root account as a user account, except a slight "feature" is interfering.
You didn't answer why you need VLC as root...

Moreover, VLC is not 'just a media player', it is a network stream player, a server, a streamer and a transcoder and therefore dangerous for your security.
I need VLC as root because I login to X as root. I do all of my work as root. I enjoy never having to see the words "permission denied."

CraigG4C
New Cone
New Cone
Posts: 1
Joined: 10 Aug 2008 16:47

Re: Starting vlc-0.9.0 as root

Postby CraigG4C » 10 Aug 2008 17:38

You didn't answer why you need VLC as root...

Moreover, VLC is not 'just a media player', it is a network stream player, a server, a streamer and a transcoder and therefore dangerous for your security.
I also habitually run as root. I smoke and drink, too.

Look, we are the ones taking the risk. We understand the risk. We have decided to accept that risk, for whatever reason, on our particular machines. We are not doing it on an enterprise-mission-critical cluster of a dozen Xeons. It is our risk to take. We cheerfully and joyfully absolve you of any and all responsibility whatever when our machine is taken over by terrorists.

Thank you for the info. I promise that my patched version will live only, only, only on my little machine.

Here's my patch:

--- vlc-0.9.0-test3/src/vlc.c.orig 2008-08-03 15:21:35.000000000 -0400
+++ vlc-0.9.0-test3/src/vlc.c 2008-08-10 13:46:13.000000000 -0400
@@ -51,7 +51,8 @@
{
int i_ret;

- if (geteuid () == 0)
+#warning This version hacked to allow running by root, posing potentially severe security risks.
+ if (0 && (geteuid () == 0))
{
fprintf (stderr, "VLC is not supposed to be run as root. Sorry.\n"
"If you need to use real-time priorities and/or privileged TCP ports\n"

Jean-Baptiste Kempf
Site Administrator
Site Administrator
Posts: 37523
Joined: 22 Jul 2005 15:29
VLC version: 4.0.0-git
Operating System: Linux, Windows, Mac
Location: Cone, France
Contact:

Re: Starting vlc-0.9.0 as root

Postby Jean-Baptiste Kempf » 11 Aug 2008 19:50

Exactly, this is good.

However, to be sure only people who understand that what they do do it, and not clueless users, this will not be pushed in the main repo.

So compile it if you want it like that.
Jean-Baptiste Kempf
http://www.jbkempf.com/ - http://www.jbkempf.com/blog/category/Videolan
VLC media player developer, VideoLAN President and Sites administrator
If you want an answer to your question, just be specific and precise. Don't use Private Messages.

asergiu
New Cone
New Cone
Posts: 6
Joined: 19 Sep 2008 18:26

Re: Starting vlc-0.9.0 as root

Postby asergiu » 19 Sep 2008 18:43

I am not too much into it but here are my thoughts:

We all respect and like the work you are doing guys. VLC is just a great video player.
However do not forget that for a software to be successful it needs its client aproval - which is us - the vast mojority of people - some of us being involved directly into computers and software developement, security, etc (like I believe I am) - and others just simple computer users.

Altough is a good starting ideea to limit regular clients from from running vlc as root - think that there are many that might need this feature. Think to the many pocket size linux distributions, embedded systems that simply don't have other logins pre-configured. Simply trowing the blame on a distro - I think is merely infatuation.

We see limitations and control in all aspects of our lives lately: they don't let me carry water during a flight, they don't let you speed in many contries even on roads that are made for that, I have to take out shoes when embarking for a flight during security checks , etc. We have cameras pointed to us even in toilets.

Do you think this helps us live better and safer ? If you do that only means you have swalloed the stupid political waves imposed by the great powers of this world. In this case I feel pitty for you

2) YES would like to have vlc running as root - because this is a feature I need in an embedded system. But in your place instead of just stopping vlc in the very first lines of code I would add a command line argument (i.e. ---force-start-root or something) that would still allow me to launch as root if I need too. Don't just stop me brutally because you THINK your think better than others or that you have the alltime panaceea.


I would say more but I think you got the ideea - wee need to be able to start VLC as root if we really WANTED to. Don't THINK and take decisions for 3 billions people !

Adrian

Jean-Baptiste Kempf
Site Administrator
Site Administrator
Posts: 37523
Joined: 22 Jul 2005 15:29
VLC version: 4.0.0-git
Operating System: Linux, Windows, Mac
Location: Cone, France
Contact:

Re: Starting vlc-0.9.0 as root

Postby Jean-Baptiste Kempf » 19 Sep 2008 20:09

Yes, use vlc-wrapper then.
Jean-Baptiste Kempf
http://www.jbkempf.com/ - http://www.jbkempf.com/blog/category/Videolan
VLC media player developer, VideoLAN President and Sites administrator
If you want an answer to your question, just be specific and precise. Don't use Private Messages.

dionoea
Cone Master
Cone Master
Posts: 5157
Joined: 03 Dec 2003 23:09
Location: Paris, France

Re: Starting vlc-0.9.0 as root

Postby dionoea » 19 Sep 2008 21:18

If you run it on an embedded system, you're most probably compiling it yourself. You can comment the if (getuid () == 0){ } stuff in bin/vlc.c and it'll run alright.

I hope this helps.

Cheers,

Edit: I've just added a compile time option to VLC to disable the root checking stuff. Use --enable-run-as-root in your configure options. This will be available in all 0.9.3 or later releases.
Antoine Cellerier
dionoea
(Please do not use private messages for support questions)

asergiu
New Cone
New Cone
Posts: 6
Joined: 19 Sep 2008 18:26

Re: Starting vlc-0.9.0 as root

Postby asergiu » 20 Sep 2008 00:37

Ok thx - that was fast and I must admit is an acceptable solution.

I didn't not mean to be very harsh in my message - just wanted to point out what I considered a problem. I did that as the discussion was beginning to develop around the subject in a quite intensive tones. (ou pour les connaisseurs le debat devenait assez aggressive).

Thx again
Adrian

dionoea
Cone Master
Cone Master
Posts: 5157
Joined: 03 Dec 2003 23:09
Location: Paris, France

Re: Starting vlc-0.9.0 as root

Postby dionoea » 20 Sep 2008 15:51

I risked my life adding the option :) Now you guys owe me big time :D
Antoine Cellerier
dionoea
(Please do not use private messages for support questions)

mia1dolfan
New Cone
New Cone
Posts: 2
Joined: 03 Nov 2008 16:42

Re: Starting vlc-0.9.0 as root

Postby mia1dolfan » 03 Nov 2008 17:01

I logged a bug with Ubuntu at https://bugs.launchpad.net/ubuntu/+sour ... bug/293154 to see if they will compile with --enable-run-as-root by default. Their should be a run-time option to allow as run as root. That would protect noobies from the disastrous universal wide calamities that would surely occur otherwise, and not hinder more experienced users.

In the meantime this did the trick...

Code: Select all

apt-get purge vlc apt-get autoremove
I'll use xine and mplayer instead and not provide it as a option for end users on OSX and Windows (for the security dangers of running with administrative priviledges of course!). A shame really, a good program otherwise.

Jean-Baptiste Kempf
Site Administrator
Site Administrator
Posts: 37523
Joined: 22 Jul 2005 15:29
VLC version: 4.0.0-git
Operating System: Linux, Windows, Mac
Location: Cone, France
Contact:

Re: Starting vlc-0.9.0 as root

Postby Jean-Baptiste Kempf » 03 Nov 2008 20:41

No, a distribution shouldn't add that option. If we strongly discourage this options it is because there are good reasons.
Jean-Baptiste Kempf
http://www.jbkempf.com/ - http://www.jbkempf.com/blog/category/Videolan
VLC media player developer, VideoLAN President and Sites administrator
If you want an answer to your question, just be specific and precise. Don't use Private Messages.

Rémi Denis-Courmont
Developer
Developer
Posts: 15265
Joined: 07 Jun 2004 16:01
VLC version: master
Operating System: Linux
Contact:

Re: Starting vlc-0.9.0 as root

Postby Rémi Denis-Courmont » 04 Nov 2008 17:09

The distro can add that option if it's going to do the security work that it involves, and which we will not do.
Rémi Denis-Courmont
https://www.remlab.net/
Private messages soliciting support will be systematically discarded

mia1dolfan
New Cone
New Cone
Posts: 2
Joined: 03 Nov 2008 16:42

Re: Starting vlc-0.9.0 as root

Postby mia1dolfan » 05 Nov 2008 15:49

Since VLC is cross platform, should you also restrict accounts with administrative access on Windows platform as well? Or is that not a security issue on other platforms? Should I submit a patch to prevent that?


Return to “VLC media player for Linux and friends Troubleshooting”

Who is online

Users browsing this forum: eddsor and 8 guests