Mirrors/rffmpeg
1
0
Fork 0
mirror of https://github.com/joshuaboniface/rffmpeg.git synced 2026-01-23 02:24:03 +00:00
Code Issues Projects Releases Packages Wiki Activity
rffmpeg/docs/HARDENING
Juha Leivo f5681397a7 feat: Added python version of the wrapper 
- GPT-OSS:120b did the converson of the script from bash to python3
- Updated rsyslog definition to work with either bash or python -file
- updated SSH config to use the python version
2025-11-03 21:33:26 +02:00

92 lines
No EOL
2.9 KiB
Text
Raw Blame History

*NOTICE* Do not do these tasks until you have a verified working solution
These were tested and validated on Ubuntu 24.04 LTS, 2025-11-03
# Hardening
- Access for jellyfin user will be limited to jellyfin1 server only
- Commands that jellyfin user can run will be limited to ffmpeg only
- Commands run by jellyfin user will be logged
- (optional) Logs stored in separate log file
## Prerequisites
- static IP on the jellyfin1 server
## Configure SSH server
SSH server configuration is formed out of two files
1. `10-jellyfin-limits.conf` - SSH config
2. `limited-wrapper.sh` or `limited-wrapper.py` - a script to limit what commands can be run
### 10-jellyfin-limits.conf
This config file does few things
- allows only jellyfin user to SSH from jellyfin server
- limits jellyfin user login options to be only from jellyfin server
- limits the commands jellyfin user can run to `limited-wrapper.py`
1. Copy `10-jellyfin-limits.conf` to `/etc/ssh/sshd_config.d`
2. Update the IP of the jellyfin server to the file
3. Restart ssh
```bash
sudo systemctl restart ssh
```
### limited-wrapper.sh and limited-wrapper.py
This file analyses what commands are being run over SSH and limits them
to the ones we defined.
1. Update the ALLOWED list to match your `ffmpeg` file locations in the script
2. Copy the script to `/usr/local/bin/limited-wrapper.py` and allow only root to modify it
```bash
sudo chwon root:root /usr/local/bin/limited-wrapper.py &&\
sudo chmod 755 /usr/local/bin/limited-wrapper.py
```
### Test configuration
1. Login to your jellyfin1 server and run
```bash
sudo -u jellyfin ssh jellyfin@transcode1 /usr/bin/ffmpeg
```
command should succeed and print out ffmpeg info
2. Run a command that should fail
```bash
sudo -u jellyfin ssh jellyfin@transcode1 uname -a
```
command should fail and you should see `ERROR: command not allowed.`
### Troubleshooting
#### Permission denied (publickey)
1. check your auth.log
you should see the IP you are connecting from, make sure it is the same as in your `10-jellyfin-limits.conf` -file.
## Logging
All commands run by the jellyfin user are logged to standard syslog (via logger). They can be extracted to their own file.
### rsyslog config
File `limited-wrapper-log.conf` creates a rsyslog config to redirect the log entries to a separate file
1. Update the `limited-wrapper-log.conf` file with the log file name you want. Default is `/var/log/jellyfin_commands.log`
2. Copy the file to /etc/rsyslog.d/
3. Correct the file rights
```bash
sudo chown root:root /etc/rsyslog.d/limited-wrapper-log.conf &&\
sudo chmod 644 /etc/rsyslog.d/limited-wrapper-log.conf
```
4. Create the log file
```bash
sudo touch /var/log/jellyfin_commands.log &&\
sudo chown syslog:adm /var/log/jellyfin_commands.log &&\
sudo chmod 664 /var/log/jellyfin_commands.log
```
Reference in a new issue View git blame Copy permalink