Peertube: Run ffmpeg with reduced privileges

Created on 3 Nov 2018  路  6Comments  路  Source: Chocobozzz/PeerTube

This is a request for a security enhancement: ffmpeg should run as an unprivileged user with minimal access. For example, we could have an "ffmpeg" user and group which has access to the input file, a temporary output directory, and any necessary hardware transcoding features when that's supported.

Currently the ffmpeg process presents a large attack surface, and any vulnerability in ffmpeg automatically confers full peertube server database and filesystem access.

Security Transcoding Type
Source
picture scanlime

Most helpful comment

Or use the FFMPEG_PATH env variable

picture Chocobozzz on 13 Nov 2018
🎉1 👍1

All 6 comments

I remember seeing:

Which involve running ffmpeg with firejail to "sandbox" it using namespaces and seccomp-bpf.
If the shipped profile for ffmpeg with firejail works ootb in peertube too, the only thing needed is to be able to change the path used to the ffmpeg binary.

rhaamo picture rhaamo on 4 Nov 2018
👍2

Paths to ffmpeg and ffprobe binaries can be set via Ffmpeg.setFfmpegPath(path) and Ffmpeg.setFfmpegPath(path) resp.

We already have a function to check available capabilities of the ffmpeg install at the server start. We could simply set the ffmpeg path there.

rigelk picture rigelk on 6 Nov 2018

Or use the FFMPEG_PATH env variable

Chocobozzz picture Chocobozzz on 13 Nov 2018
🎉1 👍1

I'll add a note in the documentation about that last one then :)

rigelk picture rigelk on 13 Nov 2018

I can confirm that using:

Environment=FFMPEG_PATH=/usr/local/bin/jail_ffmpeg
Environment=FFPROBE_PATH=/usr/local/bin/jail_ffprobe

In systemd works for using a custom binary.

When trying firejail I'm hitting others issues but that seems more related to the firejail config itself.

rhaamo picture rhaamo on 13 Nov 2018

Just to bump about firejail and peertube.

There is an issue in firejail because peertube is installed with HOME on /var/www/peertube and firejail expect everything currently to be under /home.
There is a workaround here https://github.com/netblue30/firejail/issues/2259 but it's better to just reinstall peertube under /home instead of playing with symbolic links I think.

I haven't tested further but with /var/www/peertube and the issue I reported, I can definitely say that currently this can't work (unless using /home/peertube)

rhaamo picture rhaamo on 21 Nov 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kabo picture kabo  路  3Comments
Jorropo picture Jorropo  路  3Comments
tcitworld picture tcitworld  路  3Comments
conferences-gesticulees picture conferences-gesticulees  路  3Comments
ufm picture ufm  路  3Comments