diff --git a/README.md b/README.md index d2936cb..2c0fddb 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@ 1. Profit! -`rffmpeg` does require a little bit more configuration to work properly however. For a comprehensive installation tutorial based on a reference setup, please see [the SETUP guide](SETUP.md). +`rffmpeg` does require a little bit more configuration to work properly however. For a comprehensive installation tutorial based on a reference setup, please see [the SETUP guide](docs/SETUP.md). **NOTE** Jellyfin 10.10.x and newer require an additional `TMPDIR` environment variable set to somewhere exported to the remote machine, or these paths will not work properly. Edit your Jellyfin startup/service configuration to set that. See the setup guide for more details. @@ -194,4 +194,6 @@ I'm always happy to help, though please ensure you try to follow the setup guide ### `rffmpeg-go` - forked project +NOTICE: project was archived in Oct 27, 2024. + There's also a [fork of this script written in Go](https://github.com/aleksasiriski/rffmpeg-go) with semver tags and binaries available, as well as docker images for both the [script](https://github.com/aleksasiriski/rffmpeg-go/pkgs/container/rffmpeg-go) and [Jellyfin](https://github.com/aleksasiriski/jellyfin-rffmpeg). diff --git a/docs/HARDENING b/docs/HARDENING new file mode 100644 index 0000000..ad7d24d --- /dev/null +++ b/docs/HARDENING @@ -0,0 +1,92 @@ + +*NOTICE* Do not do these tasks until you have a verified working solution + +These were tested and validated on Ubuntu 24.04 LTS, 2025-11-03 + +# Hardening + +- Access for jellyfin user will be limited to jellyfin1 server only +- Commands that jellyfin user can run will be limited to ffmpeg only +- Commands run by jellyfin user will be logged + - (optional) Logs stored in separate log file + +## Prerequisites + +- static IP on the jellyfin1 server + +## Configure SSH server + +SSH server configuration is formed out of two files + +1. `10-jellyfin-limits.conf` - SSH config +2. `limited-wrapper.sh` or `limited-wrapper.py` - a script to limit what commands can be run + +### 10-jellyfin-limits.conf + +This config file does few things +- allows only jellyfin user to SSH from jellyfin server +- limits jellyfin user login options to be only from jellyfin server +- limits the commands jellyfin user can run to `limited-wrapper.py` + +1. Copy `10-jellyfin-limits.conf` to `/etc/ssh/sshd_config.d` +2. Update the IP of the jellyfin server to the file +3. Restart ssh + ```bash + sudo systemctl restart ssh + ``` + +### limited-wrapper.sh and limited-wrapper.py + +This file analyses what commands are being run over SSH and limits them +to the ones we defined. + +1. Update the ALLOWED list to match your `ffmpeg` file locations in the script +2. Copy the script to `/usr/local/bin/limited-wrapper.py` and allow only root to modify it + ```bash + sudo chwon root:root /usr/local/bin/limited-wrapper.py &&\ + sudo chmod 755 /usr/local/bin/limited-wrapper.py + ``` +### Test configuration + +1. Login to your jellyfin1 server and run + ```bash + sudo -u jellyfin ssh jellyfin@transcode1 /usr/bin/ffmpeg + ``` + command should succeed and print out ffmpeg info + +2. Run a command that should fail + + ```bash + sudo -u jellyfin ssh jellyfin@transcode1 uname -a + ``` + command should fail and you should see `ERROR: command not allowed.` + + +### Troubleshooting + +#### Permission denied (publickey) + +1. check your auth.log +you should see the IP you are connecting from, make sure it is the same as in your `10-jellyfin-limits.conf` -file. + +## Logging + +All commands run by the jellyfin user are logged to standard syslog (via logger). They can be extracted to their own file. + +### rsyslog config + +File `limited-wrapper-log.conf` creates a rsyslog config to redirect the log entries to a separate file + +1. Update the `limited-wrapper-log.conf` file with the log file name you want. Default is `/var/log/jellyfin_commands.log` +2. Copy the file to /etc/rsyslog.d/ +3. Correct the file rights + ```bash + sudo chown root:root /etc/rsyslog.d/limited-wrapper-log.conf &&\ + sudo chmod 644 /etc/rsyslog.d/limited-wrapper-log.conf + ``` +4. Create the log file + ```bash + sudo touch /var/log/jellyfin_commands.log &&\ + sudo chown syslog:adm /var/log/jellyfin_commands.log &&\ + sudo chmod 664 /var/log/jellyfin_commands.log + ``` \ No newline at end of file diff --git a/SETUP.md b/docs/SETUP.md similarity index 72% rename from SETUP.md rename to docs/SETUP.md index e93b70c..fde0566 100644 --- a/SETUP.md +++ b/docs/SETUP.md @@ -12,20 +12,20 @@ This guide is provided as a basic starting point - there are myriad possible com 1. Make note of the Jellyfin service user's details, specifically the UID and any groups (and GIDs) it is a member of; this will be needed later on. - ``` - jellyfin1 $ id jellyfin - uid=110(jellyfin) gid=117(jellyfin) groups=117(jellyfin) +#### jellyfin1 + ```bash + id jellyfin + # should output + # uid=110(jellyfin) gid=117(jellyfin) groups=117(jellyfin) ``` 1. Make note of the Jellyfin data path; this will be needed later on. By default when using native OS packages, this is `/var/lib/jellyfin`. If you choose to move this directory, do so now (I personally use `/srv/jellyfin` but this guide will assume the default). To make life easier below, you can store this in a variable that I will reference frequently later: - ``` - jellyfin1 $ export jellyfin_data_path="/var/lib/jellyfin" - jellyfin1 $ export jellyfin_cache_path="/var/lib/jellyfin" - transcode1 $ export jellyfin_data_path="/var/lib/jellyfin" - transcode1 $ export jellyfin_cache_path="/var/lib/jellyfin" + ```bash + export jellyfin_data_path="/var/lib/jellyfin" + export jellyfin_cache_path="/var/cache/jellyfin" ``` The important subdirectories for `rffmpeg`'s operation are: @@ -41,20 +41,20 @@ This guide is provided as a basic starting point - there are myriad possible com 1. Create an SSH keypair to use for `rffmpeg`'s login to the remote server. For ease of use with the following steps, use the Jellyfin service user (`jellyfin`) to create the keypair and store it under its home directory (the Jellyfin data path above). I use `rsa` here but you can substitute `ed25519` instead (avoid `dsa` and `ecdsa` for reasons I won't get into here). Once done, copy the public key to `authorized_keys` which will be used to authenticate the key later. - ``` - jellyfin1 $ sudo -u jellyfin mkdir ${jellyfin_data_path}/.ssh - jellyfin1 $ sudo chmod 700 ${jellyfin_data_path}/.ssh - jellyfin1 $ export keytype="rsa" - jellyfin1 $ sudo -u jellyfin ssh-keygen -t ${keytype} -f ${jellyfin_data_path}/.ssh/id_${keytype} - jellyfin1 $ sudo -u jellyfin cp -a ${jellyfin_data_path}/.ssh/id_${keytype}.pub ${jellyfin_data_path}/.ssh/authorized_keys + ```bash + export keytype="rsa" &&\ + sudo -u jellyfin mkdir ${jellyfin_data_path}/.ssh &&\ + sudo chmod 700 ${jellyfin_data_path}/.ssh &&\ + sudo -u jellyfin ssh-keygen -t ${keytype} -f ${jellyfin_data_path}/.ssh/id_${keytype} &&\ + sudo -u jellyfin cp -a ${jellyfin_data_path}/.ssh/id_${keytype}.pub ${jellyfin_data_path}/.ssh/authorized_keys ``` It is important that you do not alter the permissions under this `.ssh` directory or this can cause SSH to fail later. The SSH *must* occur as the `jellyfin` user for this to work. 1. Scan and save the SSH host key of the transcode server(s), to avoid a prompt later: - ``` - jellyfin1 $ ssh-keyscan transcode1 | sudo -u jellyfin tee -a ${jellyfin_data_path}/.ssh/known_hosts + ```bash + ssh-keyscan transcode1 | sudo -u jellyfin tee -a ${jellyfin_data_path}/.ssh/known_hosts ``` * **NOTE:** Ensure you use the exact name here that you will use in `rffmpeg`. If this is an FQDN (e.g. `jellyfin1.mydomain.tld`) or an IP (e.g. `192.168.0.101`) instead of a short name, use that instead in this command, or repeat it for every possible option (it doesn't hurt). @@ -63,37 +63,35 @@ This guide is provided as a basic starting point - there are myriad possible com 1. Install the required Python3 dependencies of `rffmpeg`: - ``` - jellyfin1 $ sudo apt -y install python3-yaml - jellyfin1 $ sudo apt -y install python3-click - jellyfin1 $ sudo apt -y install python3-subprocess + ```bash + sudo apt -y install python3-yaml python3-click python3-subprocess ``` * **NOTE:** On some Ubuntu versions, `python3-subprocess` does not exist, and should instead be part of the Python standard library. Skip installing this package if it can't be found. -1. Clone the `rffmpeg` repository somewhere onto the system, then install the `rffmpeg` binary, make it executable, and prepare symlinks for the command names `ffmpeg` and `ffprobe` to it. I recommend storing these in `/usr/local/bin` for simplicity and so that they are present on the default `$PATH` for most users. +2. Clone the `rffmpeg` repository somewhere onto the system, then install the `rffmpeg` binary, make it executable, and prepare symlinks for the command names `ffmpeg` and `ffprobe` to it. I recommend storing these in `/usr/local/bin` for simplicity and so that they are present on the default `$PATH` for most users. - ``` - jellyfin1 $ git clone https://github.com/joshuaboniface/rffmpeg # or download the files manually - jellyfin1 $ sudo cp rffmpeg/rffmpeg /usr/local/bin/rffmpeg - jellyfin1 $ sudo chmod +x /usr/local/bin/rffmpeg - jellyfin1 $ sudo ln -s /usr/local/bin/rffmpeg /usr/local/bin/ffmpeg - jellyfin1 $ sudo ln -s /usr/local/bin/rffmpeg /usr/local/bin/ffprobe + ```bash + git clone https://github.com/joshuaboniface/rffmpeg # or download the files manually + sudo cp rffmpeg/rffmpeg /usr/local/bin/rffmpeg &&\ + sudo chmod +x /usr/local/bin/rffmpeg &&\ + sudo ln -s /usr/local/bin/rffmpeg /usr/local/bin/ffmpeg &&\ + sudo ln -s /usr/local/bin/rffmpeg /usr/local/bin/ffprobe ``` -1. Optional: Create a directory for the `rffmpeg` configuration at `/etc/rffmpeg`, then copy `rffmpeg.yml.sample` to `/etc/rffmpeg/rffmpeg.yml` and edit it to suit your needs if required. Generally, if you're following this guide exactly, you will not need to install this file or adjust anything in in it. If you do require help though, I require debug logging to be enabled via the configuration file, so it's probably best to get this out of the way when installing `rffmpeg`: +3. Optional: Create a directory for the `rffmpeg` configuration at `/etc/rffmpeg`, then copy `rffmpeg.yml.sample` to `/etc/rffmpeg/rffmpeg.yml` and edit it to suit your needs if required. Generally, if you're following this guide exactly, you will not need to install this file or adjust anything in in it. If you do require help though, I require debug logging to be enabled via the configuration file, so it's probably best to get this out of the way when installing `rffmpeg`: - ``` - jellyfin1 $ sudo mkdir -p /etc/rffmpeg - jellyfin1 $ sudo cp rffmpeg/rffmpeg.yml.sample /etc/rffmpeg/rffmpeg.yml - jellyfin1 $ sudo $EDITOR /etc/rffmpeg/rffmpeg.yml # if required + ```bash + sudo mkdir -p /etc/rffmpeg &&\ + sudo cp rffmpeg/rffmpeg.yml.sample /etc/rffmpeg/rffmpeg.yml &&\ + sudo $EDITOR /etc/rffmpeg/rffmpeg.yml # if required ``` -1. Initialize `rffmpeg` (note the `sudo` command) and add at the target host to it. You can add other hosts now or later, and set weights of hosts, if required; for full details see the [main README](README.md) or run `rffmpeg --help` to view the CLI help menu. +5. Initialize `rffmpeg` (note the `sudo` command) and add at the target host to it. You can add other hosts now or later, and set weights of hosts, if required; for full details see the [main README](../README.md) or run `rffmpeg --help` to view the CLI help menu. - ``` - jellyfin1 $ sudo rffmpeg init --yes - jellyfin1 $ rffmpeg add --weight 1 transcode1 + ```bash + sudo rffmpeg init --yes &&\ + rffmpeg add --weight 1 transcode1 ``` ### NFS Setup @@ -102,11 +100,11 @@ This guide is provided as a basic starting point - there are myriad possible com 1. Install the NFS kernel server. We will use NFS to export the various required directories so the transcode machine can read from and write to them. - ``` - jellyfin1 $ sudo apt -y install nfs-kernel-server + ```bash + sudo apt -y install nfs-kernel-server ``` -1. Create an `/etc/exports` configuration. What to put here can vary a lot, but here are some important points: +2. Create an `/etc/exports` configuration. What to put here can vary a lot, but here are some important points: * Always export the `${jellyfin_data_path}` in full. Advanced users might be able to export the required subdirectories individually, but I find this to be not worth the hassle. * Note the security options of NFS. It will limit mounts to the IP addresses specified. If your home network is secure, you can use the entire network, e.g. `192.168.0.0/24`, but I would recommend determining the exact IP of your transcode server(s) and use them explicitly, e.g. for this example `192.168.0.101` and `192.168.0.102`. @@ -115,7 +113,7 @@ This guide is provided as a basic starting point - there are myriad possible com An example `/etc/exports` file would look like this: - ``` + ```text # /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # @@ -129,11 +127,14 @@ This guide is provided as a basic starting point - there are myriad possible com /srv/mymedia 192.168.0.101/32(rw,sync,no_subtree_check,no_root_squash) 192.168.0.102/32(rw,sync,no_subtree_check,no_root_squash) ``` -1. Reload the exports file and ensure the NFS server is properly exporting it now: +3. Reload the exports file and ensure the NFS server is properly exporting it now: + ```bash + sudo exportfs -arfv + sudo exportfs ``` - jellyfin1 $ sudo exportfs -arfv - jellyfin1 $ sudo exportfs + should output something like + ```text /var/lib/jellyfin 192.168.0.101/32 /var/lib/jellyfin 192.168.0.102/32 /var/cache/jellyfin 192.168.0.101/32 @@ -142,57 +143,70 @@ This guide is provided as a basic starting point - there are myriad possible com ## Set up the transcode server (`transcode1`) +setup the temporary convenience variables + +```bash +export jellyfin_data_path="/var/lib/jellyfin" +export jellyfin_cache_path="/var/cache/jellyfin" +``` + 1. Install and configure anything you need for hardware transcoding, if applicable. For example GPU drivers if using a GPU for transcoding. - * **NOTE:** Make sure you understand the caveats of using hardware transcoding with `rffmpeg` from [the main README](README.md#hardware-acceleration). + * **NOTE:** Make sure you understand the caveats of using hardware transcoding with `rffmpeg` from [the main README](../README.md#hardware-acceleration). -1. Install the correct `jellyfin-ffmpeg` package for your version of Jellyfin; check which version is installed on your `jellyfin1` system with `dpkg -l | grep jellyfin-ffmpeg`, then install that version on this host too; follow the same steps as you would to install Jellyfin on the media server, only don't install `jellyfin` (and `jellyfin-server`/`jellyfin-web`) itself, just the `jellyfin-ffmpeg` of the required version. +2. Install the correct `jellyfin-ffmpeg` package for your version of Jellyfin; check which version is installed on your `jellyfin1` system with `dpkg -l | grep jellyfin-ffmpeg`, then install that version on this host too; follow the same steps as you would to install Jellyfin on the media server, only don't install `jellyfin` (and `jellyfin-server`/`jellyfin-web`) itself, just the `jellyfin-ffmpeg` of the required version. + in jellyfin1 + ```bash + dpkg -l | grep jellyfin-ffmpeg + # ii jellyfin-ffmpeg6 6.0.1-8-bookworm amd64 Tools for transcoding, streaming and playing of multimedia files ``` - jellyfin1 $ dpkg -l | grep jellyfin-ffmpeg - ii jellyfin-ffmpeg6 6.0.1-8-bookworm amd64 Tools for transcoding, streaming and playing of multimedia files - transcode1 $ sudo apt -y install curl gnupg - transcode1 $ curl -fsSL https://repo.jellyfin.org/ubuntu/jellyfin_team.gpg.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/jellyfin.gpg - transcode1 $ echo "deb [arch=$( dpkg --print-architecture )] https://repo.jellyfin.org/$( awk -F'=' '/^ID=/{ print $NF }' /etc/os-release ) $( awk -F'=' '/^VERSION_CODENAME=/{ print $NF }' /etc/os-release ) main" | sudo tee /etc/apt/sources.list.d/jellyfin.list - transcode1 $ sudo apt update - transcode1 $ sudo apt install jellyfin-ffmpeg6 + in transcode1 + ```bash + sudo apt -y install curl gnupg &&\ + curl -fsSL https://repo.jellyfin.org/ubuntu/jellyfin_team.gpg.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/jellyfin.gpg &&\ + echo "deb [arch=$( dpkg --print-architecture )] https://repo.jellyfin.org/$( awk -F'=' '/^ID=/{ print $NF }' /etc/os-release ) $( awk -F'=' '/^VERSION_CODENAME=/{ print $NF }' /etc/os-release ) main" | sudo tee /etc/apt/sources.list.d/jellyfin.list &&\ + sudo apt update &&\ + sudo apt install -y jellyfin-ffmpeg6 ``` -1. Install the NFS client utilities: +3. Install the NFS client utilities: - ``` - transcode1 $ sudo apt install -y nfs-common + ```bash + sudo apt install -y nfs-common ``` -1. Create the Jellyfin service user and its default group; ensure you use the exact same UID and GID values you found in the beginning of the last section and adjust the example here to match yours: +4. Create the Jellyfin service user and its default group; ensure you use the exact same UID and GID values you found in the beginning of the last section and adjust the example here to match yours: - ``` - transcode1 $ sudo groupadd --gid 117 jellyfin - transcode1 $ sudo useradd --uid 110 --gid jellyfin --shell /bin/bash --no-create-home --home-dir ${jellyfin_data_path} jellyfin + ```bash + sudo groupadd --gid 117 jellyfin &&\ + sudo useradd --uid 110 --gid jellyfin --shell /bin/bash --no-create-home --home-dir ${jellyfin_data_path} jellyfin ``` * **NOTE:** For some hardware acceleration, you might need to add this user to additional groups. For example `--groups video,render`. * **NOTE:** The UID and GIDs here are dynamic; on the `jellyfin1` machine, they would have been selected automatically at install time with the next available ID in the range 100-199 (at least in Debian/Ubuntu). However, this means that the exact UID of your Jellyfin service user might not be available on your transcode server, depending on what packages are installed and in what order. If there is a conflict, you must adjust user IDs on one side or the other so that they match on both machines. You can use `sudo usermod` to change a user's ID if required. -1. Create the Jellyfin data directory at the same location as on the media server, and set it immutable so that it won't be written to if the NFS mount goes down: +5. Create the Jellyfin directories at the same location as on the media server, and set it immutable so that it won't be written to if the NFS mount goes down: - ``` - transcode1 $ sudo mkdir ${jellyfin_data_path} - transcode1 $ sudo chattr +i ${jellyfin_data_path} + ```bash + for file in ${jellyfin_data_path} ${jellyfin_cache_path}; do + sudo mkdir ${file} &&\ + sudo chattr +i ${file} + done ``` * **NOTE:** Don't worry about permissions here; the mount will set those. -1. Create the NFS client mount. There are two main ways to do this: +6. Create the NFS client mount. There are two main ways to do this: * Use the traditional `/etc/fstab` by adding a new entry like so, replacing the paths and hostname as required, and then mounting it: - ``` - transcode1 $ echo "jellyfin1:${jellyfin_data_path} ${jellyfin_data_path} nfs defaults,vers=3,sync" | sudo tee -a /etc/fstab - transcode1 $ echo "jellyfin1:${jellyfin_cache_path} ${jellyfin_cache_path} nfs defaults,vers=3,sync" | sudo tee -a /etc/fstab - transcode1 $ sudo mount ${jellyfin_data_path} - transcode1 $ sudo mount ${jellyfin_cache_path} + ```bash + echo "jellyfin1:${jellyfin_data_path} ${jellyfin_data_path} nfs defaults,vers=3,sync" | sudo tee -a /etc/fstab &&\ + echo "jellyfin1:${jellyfin_cache_path} ${jellyfin_cache_path} nfs defaults,vers=3,sync" | sudo tee -a /etc/fstab &&\ + sudo mount ${jellyfin_data_path} &&\ + sudo mount ${jellyfin_cache_path} ``` * Use a SystemD `mount` unit, which is a newer way of doing mounts with SystemD. I personally prefer this method as I find it easier to set up automatically, but this is up to preference. An example based on mine would be: @@ -233,38 +247,38 @@ This guide is provided as a basic starting point - there are myriad possible com Once the unit file is created, you can then reload the unit list and mount it: - ``` - transcode1 $ sudo systemctl daemon-reload - transcode1 $ sudo systemctl enable --now var-lib-jellyfin.mount - transcode1 $ sudo systemctl enable --now var-cache-jellyfin.mount + ```bash + sudo systemctl daemon-reload &&\ + sudo systemctl enable --now var-lib-jellyfin.mount &&\ + sudo systemctl enable --now var-cache-jellyfin.mount ``` Note that mount units are fairly "new" and can be a bit finicky, be sure to read the SystemD documentation if you get stuck! Generally for new users, I'd recommend the `/etc/fstab` method instead. **NOTE:** Don't forget about `actimeo=1` here if you need it! -1. Mount your media directories in the **same location(s)** as on the media server. If you exported them via NFS from your media server, use the process above only for those directories instead. +7. Mount your media directories in the **same location(s)** as on the media server. If you exported them via NFS from your media server, use the process above only for those directories instead. ## Test the setup 1. On the media server, verify that SSH as the Jellyfin service user is working as expected to each transcoding server: - ``` - jellyfin1 $ sudo -u jellyfin ssh -i ${jellyfin_data_path}/.ssh/id_rsa jellyfin@transcode1 uname -a - Linux transcode1 [...] + ```bash + sudo -u jellyfin ssh -i ${jellyfin_data_path}/.ssh/id_rsa jellyfin@transcode1 uname -a + # Linux transcode1 [...] ``` 1. Validate that `rffmpeg` itself is working by calling its `ffmpeg` and `ffprobe` aliases with the `-version` option: - ``` - jellyfin1 $ sudo -u jellyfin /usr/local/bin/ffmpeg -version - ffmpeg version 5.0.1-Jellyfin Copyright (c) 2000-2022 the FFmpeg developers - built with gcc 10 (Debian 10.2.1-6) - [...] - jellyfin1 $ sudo -u jellyfin /usr/local/bin/ffprobe -version - ffprobe version 5.0.1-Jellyfin Copyright (c) 2007-2022 the FFmpeg developers - built with gcc 10 (Debian 10.2.1-6) - [...] + ```bash + sudo -u jellyfin /usr/local/bin/ffmpeg -version + # ffmpeg version 5.0.1-Jellyfin Copyright (c) 2000-2022 the FFmpeg developers + # built with gcc 10 (Debian 10.2.1-6) + # [...] + sudo -u jellyfin /usr/local/bin/ffprobe -version + # ffprobe version 5.0.1-Jellyfin Copyright (c) 2007-2022 the FFmpeg developers + # built with gcc 10 (Debian 10.2.1-6) + # [...] ``` As long as these steps work, all further steps should as well. If one of these *doesn't* work, double-check all previous steps and confirm that everything is set up right. @@ -275,8 +289,8 @@ As long as these steps work, all further steps should as well. If one of these * 1. On the `jellyfin1` system, edit `/etc/default/jellyfin`: - ``` - jellyfin1 $ sudo $EDITOR /etc/default/jellyfin + ```bash + sudo $EDITOR /etc/default/jellyfin ``` 1. Change the value of `JELLYFIN_FFMPEG_OPT` to be `--ffmpeg=/usr/local/bin/ffmpeg` (the `rffmpeg` alias name `ffmpeg` in whatever path you installed `rffmpeg` to). @@ -285,8 +299,8 @@ As long as these steps work, all further steps should as well. If one of these * 1. Save the file and restart Jellyfin: - ``` - jellyfin1 $ sudo systemctl restart jellyfin + ```bash + sudo systemctl restart jellyfin ``` If you wish to use hardware transcoding, you must also enable it in Jellyfin's WebUI: @@ -303,15 +317,19 @@ Now, run `rffmpeg log -f` on the `jellyfin1` machine and try to play a video tha If you are using NVEnv/NVDec, you will need to symlink the `.nv` folder inside the Jellyfin user's homedir (i.e. `/var/lib/jellyfin/.nv`) to somewhere outside of the NFS volume on both the Jellyfin and transcoding hosts. For example: +on jellyfin1 + ```bash + sudo mv /var/lib/jellyfin/.nv /var/lib/nvidia-cache # or "sudo mkdir /var/lib/nvidia-cache" and "sudo chown jellyfin /var/lib/nvidia-cache" if it does not yet exist + sudo ln -s /var/lib/nvidia-cache /var/lib/jellyfin/.nv ``` - jellyfin1 $ sudo mv /var/lib/jellyfin/.nv /var/lib/nvidia-cache # or "sudo mkdir /var/lib/nvidia-cache" and "sudo chown jellyfin /var/lib/nvidia-cache" if it does not yet exist - jellyfin1 $ sudo ln -s /var/lib/nvidia-cache /var/lib/jellyfin/.nv - transcode1 $ sudo mkdir /var/lib/nvidia-cache - transcode1 $ sudo chown jellyfin /var/lib/nvidia-cache - transcode1 $ ls -alh /var/lib/jellyfin - [...] - lrwxrwxrwx 1 root root 17 Jun 11 15:51 .nv -> /var/lib/nvidia-cache - [...] + on transcode1 + ```bash + sudo mkdir /var/lib/nvidia-cache + sudo chown jellyfin /var/lib/nvidia-cache + ls -alh /var/lib/jellyfin + #[...] + #lrwxrwxrwx 1 root root 17 Jun 11 15:51 .nv -> /var/lib/nvidia-cache + #[...] ``` Be sure to adjust these paths to match your Jellyfin setup. The name of the target doesn't matter too much, as long as `.nv` inside the homedir is symlinked to it and it is owned by the `jellyfin` service user. diff --git a/hardening/10-jellyfin-limits.conf b/hardening/10-jellyfin-limits.conf new file mode 100644 index 0000000..f431dea --- /dev/null +++ b/hardening/10-jellyfin-limits.conf @@ -0,0 +1,13 @@ +# Limit jellyfin access +# IPJELLYFIN is our Jellyfin server + +Match Address IPJELLYFIN + AllowUsers jellyfin@IPJELLYFIN + +Match User jellyfin, Address IPJELLYFIN + AllowUsers jellyfin@IPJELLYFIN + ForceCommand /usr/local/bin/limited-wrapper.py + PermitTTY no + X11Forwarding no + AllowAgentForwarding no + AllowTcpForwarding no \ No newline at end of file diff --git a/hardening/limited-wrapper-log.conf b/hardening/limited-wrapper-log.conf new file mode 100644 index 0000000..ff812e2 --- /dev/null +++ b/hardening/limited-wrapper-log.conf @@ -0,0 +1,3 @@ +# Match the tag *including* the trailing colon +:syslogtag, startswith, "limited-wrapper" /var/log/jellyfin_commands.log +& stop \ No newline at end of file diff --git a/hardening/limited-wrapper.py b/hardening/limited-wrapper.py new file mode 100644 index 0000000..5e89c97 --- /dev/null +++ b/hardening/limited-wrapper.py @@ -0,0 +1,152 @@ +#!/usr/bin/env python3 +"""limited-wrapper.py + +Author: GPT-OSS:120b +Version: 1.1.0 +Date: 2025-11-03 + +Python 3 implementation of the limited-wrapper.sh script. +It restricts SSH command execution to a whitelist of allowed binaries +and logs activity either to the console (interactive) or to syslog. + +History + 1.0.0 - 2025-11-03, initial version + +""" + +import os +import sys +import shlex +import logging +import logging.handlers +from typing import List + +# --------------------------------------------------------------------------- +# Logging utilities +# --------------------------------------------------------------------------- + +def _setup_logger() -> logging.Logger: + logger = logging.getLogger("limited-wrapper.py") + logger.setLevel(logging.DEBUG) # Capture all levels; handlers will filter + # Ensure no duplicate handlers if the module is reloaded + logger.handlers.clear() + + if sys.stdout.isatty(): + # Interactive TTY – simple console output without timestamp or level prefix + console = logging.StreamHandler(sys.stdout) + console.setLevel(logging.INFO) + console.setFormatter(logging.Formatter("%(message)s")) + logger.addHandler(console) + else: + # Non‑interactive – forward to syslog. Let syslog generate its own timestamp, + # hostname, and program identifier (the logger name). No extra formatter is + # needed to avoid adding the PID or duplicate timestamps. + try: + syslog = logging.handlers.SysLogHandler(address="/dev/log") + except OSError: + # Fallback for systems without /dev/log (e.g., macOS) + syslog = logging.handlers.SysLogHandler(address=("localhost", 514)) + syslog.setLevel(logging.DEBUG) + # Prefix with logger name (script tag) to match original format + syslog.setFormatter(logging.Formatter("%(name)s: %(message)s")) + logger.addHandler(syslog) + return logger + +_logger = _setup_logger() + + +def log_msg(level: str, *msg: str) -> None: + """Log a message with an explicit level prefix. + + The original Bash implementation prefixed the log line with the level + (e.g. ``DEBUG`` or ``INFO``) before sending it to syslog. To preserve that + format we construct ``full_msg = f"{level.upper()} {text}"`` and log the + resulting string. This ensures syslog entries look like: + ``limited-wrapper.sh: DEBUG `` while interactive console output + remains readable. + """ + text = " ".join(msg) + level = level.upper() + full_msg = f"{level} {text}" + if level == "DEBUG": + _logger.debug(full_msg) + elif level == "INFO": + _logger.info(full_msg) + elif level in ("WARN", "WARNING"): + _logger.warning(full_msg) + elif level == "ERROR": + _logger.error(full_msg) + else: + _logger.info(full_msg) + + +def log_debug(*msg: str) -> None: + log_msg("DEBUG", *msg) + + +def log_info(*msg: str) -> None: + log_msg("INFO", *msg) + + +def log_warn(*msg: str) -> None: + log_msg("WARN", *msg) + + +def log_error(*msg: str) -> None: + log_msg("ERROR", *msg) + +# --------------------------------------------------------------------------- +# Whitelist of absolute paths to allowed binaries +# --------------------------------------------------------------------------- +ALLOWED: List[str] = [ + "/usr/bin/ffmpeg", + "/usr/bin/ffprobe", + "/usr/local/bin/ffmpeg", + "/usr/local/bin/ffprobe", + "/usr/lib/jellyfin-ffmpeg/ffmpeg", + "/usr/lib/jellyfin-ffmpeg/ffprobe", +] + + +def main() -> None: + req_cmd = os.getenv("SSH_ORIGINAL_COMMAND", "") + if not req_cmd: + # No command supplied – show the whitelist and exit successfully + print("You may run only: " + " ".join(ALLOWED)) + sys.exit(0) + + # Parse the command string respecting shell quoting (handles spaces in arguments) + # Using shlex.split provides proper handling of quoted arguments, unlike the + # original bash script which split on whitespace only. + try: + args = shlex.split(req_cmd, posix=True) + except ValueError as e: + log_error(f"Failed to parse SSH_ORIGINAL_COMMAND: {e}") + print("ERROR: could not parse command.") + sys.exit(1) + + if not args: + log_error("Empty command after parsing.") + print("ERROR: empty command.") + sys.exit(1) + + bin_path = os.path.realpath(args[0]) + log_debug(f"Checking for bin {bin_path}") + + if bin_path in ALLOWED: + log_info(f"Running command {req_cmd}") + # Ensure the argument list uses the resolved binary path as argv[0] + args[0] = bin_path + # Replace the current process with the requested command without PATH lookup + os.execv(bin_path, args) + # execv only returns on failure + log_error(f"Failed to exec {req_cmd}") + sys.exit(1) + else: + log_error(f"Not allowed {req_cmd}") + print("ERROR: command not allowed.") + sys.exit(1) + + +if __name__ == "__main__": + main() diff --git a/hardening/limited-wrapper.sh b/hardening/limited-wrapper.sh new file mode 100755 index 0000000..26cb603 --- /dev/null +++ b/hardening/limited-wrapper.sh @@ -0,0 +1,87 @@ +#!/usr/bin/env bash +set -euo pipefail # safer defaults + +# Author: Juha Leivo +# Version: 1.1.0 +# Date: 2025-11-03 +# +# Prevent unauthorized SSH command execution by allowing only a limited set of binaries. +# +# History +# 1.0.0 - 2025-11-02, initial version +# 1.1.0 - 2025-11-03, moved to use logging 1.0.0 + +# Function to log messages both to TTY and to a logfile in syslog format +# Ref logging.sh version 1.0.0 +log_msg() { + local level="$1" + shift + # Concatenate all arguments into a single string + local msg="$*" + + # Map level to syslog priority + local prio="notice" + case "$level" in + INFO) prio="info" ;; + WARN) prio="warning" ;; + ERROR) prio="err" ;; + DEBUG) prio="debug" ;; + *) prio="notice" + msg="$level $msg" ;; + esac + + if [ -t 1 ]; then + # Interactive TTY: print plain message without level prefix + echo "$msg" + else + # Non‑interactive: send to syslog + logger -p user.$prio -t "$(basename "$0")" "$level $msg" + fi +} + +log_debug() { log_msg DEBUG "$@"; } +log_info() { log_msg INFO "$@"; } +log_warn() { log_msg WARN "$@"; } +log_error() { log_msg ERROR "$@"; } +# ------------------------------------------------------------------ +# Whitelist of absolute paths to allowed binaries +ALLOWED=( + /usr/bin/ffmpeg + /usr/bin/ffprobe + /usr/local/bin/ffmpeg + /usr/local/bin/ffprobe + /usr/lib/jellyfin-ffmpeg/ffmpeg + /usr/lib/jellyfin-ffmpeg/ffprobe +) + +# ------------------------------------------------------------------ +REQ_CMD="${SSH_ORIGINAL_COMMAND:-}" +if [[ -z "$REQ_CMD" ]]; then + echo "You may run only: ${ALLOWED[*]}" + exit 0 +fi + +# Split the command into an array preserving quoting +read -r -a ARGS <<<"$REQ_CMD" +BIN="${ARGS[0]}" + +# Resolve symlinks if possible +if command -v realpath >/dev/null; then + BIN=$(realpath -m "$BIN") +else + BIN=$(readlink -f "$BIN" 2>/dev/null || echo "$BIN") +fi + +log_debug "Checking for bin $BIN" + +# Whitelist check +for ok in "${ALLOWED[@]}"; do + if [[ "$BIN" == "$ok" ]]; then + log_info "Running command $REQ_CMD" + eval "exec $REQ_CMD" + fi +done + +log_error "Not allowed $REQ_CMD" +echo "ERROR: command not allowed." # For SSH to show the error on client +exit 1