Bug #417

videofe must be run as root or it doesn't work

Added by Hammel almost 3 years ago. Updated almost 3 years ago.

Status:ClosedStart date:16 Dec 2014
Priority:ImmediateDue date:
Assignee:Hammel% Done:

100%

Category:04 - Applications
Target version:0.10.0
Severity:03 - Medium

Description

If I make videofe a privileged app it works. If I don't, it fails.

If I run omxplayer from a terminal which has been run as user nobody then it works.

This leads me to believe that the problem is that the wrapping xterm for omxplayer is causing the problem when run as user nobody. The xterm is run as group nobody but the terminal has a supplementary group of root.

It's possible the problem is the xterm wrapper doesn't have a proper path for omxplayer when run as user nobody.

Associated revisions

Revision 9a42a69d
Added by Hammel almost 3 years ago

RM #417: Fix owner/group of videofe after installation.

Revision 67c55c16
Added by Hammel almost 3 years ago

RM #417: Fix permissions and ownership of installed files to match launcher requirements.

Revision 85c103c5
Added by Hammel almost 3 years ago

RM #417: Fix ownership of /dev/vchiq so omxplayer can access when it's run as the user nobody.

Revision d8bc1a56
Added by Hammel almost 3 years ago

RM #417: Fix group on vchiq so non-root video players can access it.

History

#1 Updated by Hammel almost 3 years ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 50

I ran various tests and finally, after using strace to run omxplayer, I found that the problem was that omxplayer couldn't open /dev/vchiq, which was root.root and 660. If I changed this device to group nobody then omxplayer worked when videofe was run as nobody.nobody.

So now the question is: should I change the group to nobody for vchiq, change the perms to 664 (if that works) or create a completely different user for that device? If changing it to 664 is enough, that would be the best solution. I don't know if I need write access to the device for omxplayer.

If that doesn't work I think just switching to group nobody would be sufficient. That can be done as part of the postinstall for the omxplayer package.

Note: just tried 644 @ root.root and it failed. So the group has to be nobody.

#2 Updated by Hammel almost 3 years ago

  • % Done changed from 50 to 60

I added the device file group change to the postinst script but that isn't sufficient. The /dev/vchiq device is remade on reboots by the kernel. So the init processing has to handle the device change.

#3 Updated by Hammel almost 3 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 60 to 100

The fix is to change /etc/mdev.conf in the core to include the following line:

vchiq           root:nobody 660

I've tested this on the target and it works. Change committed in pibox core and pushed upstream.

Closing issue.

Also available in: Atom PDF