TiVo Community Forums Archives - HAcks, TivoWEB & CHMOD

TiVoCommunity.com
(c)opyright 1995-2005 All rights reserved
indexcheckTC
This area is a static history of posts in the TiVo Community Forum Archive.
This archive history was made for the simple indexing of search sites like Google.

Pages:1

HAcks, TivoWEB & CHMOD
(Click here to view the original thread with full colors/images)

Posted by: alexb

Hi,

Bit new to all this. Everything i read says i need a 755 CHMOD on files, but TIVO web when it isntalled set CHMOD on the tcl files to 664.

I am looking for guidance on what the minimum permission is for each module in hacks, and each tivoweb itcl module.

Is there an FAQ that lists all modules and their files and associated permissions - i can't find one? also there doesn't seem to be a comprehensive list of all TIVO hacks and TivoWeb modules?

can any one point me in the right diection?

Posted by: Robert S

Unix is case-sensitive, so chmod and CHMOD are different things. You might need to give the full path: /bin/chmod ...

The least significant bit is the executable flag, so each of the digits needs to be an odd number. If you're not expecting your TiVo to be attacked by a hacker, mode 777 would be fine.

As for a list of hacks. Yeah, someone ought to make one of those...

Posted by: alexb

Kick ass link - don't know how i didn't manage to find it :-) also has the extra bin files i knew i had seen but couldn't find.

your a hero

(bear with me it is after midnight here i am flagging due to 6:00 am starts all this week)

Posted by: alexb

Unfortunatley seem the link to the bin tools doesn't work :( can anyone point me to another so i can get common tools like ls ?

Also to clarify should i don't think i should use 777 as this seems to be the least secure write and execute for all groups? So i am still unsure if i should be 755 ing all the tcl files and other hacks i have or not?

alex

Posted by: Robert S

I think ls and the other very basic tools are at tivo.com/linux. Nihilator found a good SourceForge page in his Copying 60+80 thread in the Underground.

777 gives you the same level of security as on a Windows 9x machine (that is to say, none at all). I doubt that there's anything on a TiVo that could take advantage of that 'hole', though. 755 or 775 would also be fine.

Posted by: alexb

Hi,

The commands are in the tbin.tar.gz file at http://tivo.stevejenkins.com/downloads/ if anyone else needs them.

Does anyone know if there is an ftpD prog that supports chaning chmod using the FTP client (like SmartFTP cando) - ok i'm lazy :-)

I assume that most hacks will hapily run as 664 and i would rather be as secure as possible - i have learnt the hardway that it is the best course.

Posted by: Robert S

No, like I said, you need odd numbers so that the executable bit is set (if you want to invoke them by name, anyway, if you invoke them as /tvbin/tivoapp script.tcl (isn't tivoapp the TCL interpreter?) that would work). So 5's and 7's (5 is read/exec, 7 is read/write/exec). Like I said, though, you're getting excited over nothing.

Most FTP clients can change the file mode. Sometimes it's quite well hidden.

Posted by: alexb

not getting excited. I agree first digit should be 7 its the next two i am unsure about - 755 gives public the right to execute an (harmful) command.

Am I getting excited? no, last thing I want if I expose the tivoweb using an inbounf port map on my NAT firewall is some bugger destroying the software - not life threatening but a pain the ass if it happend.

I know FTP clients can issue the chmod command, the problem i am having is it doesn't work with the FTP module:

........<cut>
226 Transfer complete.
SITE CHMOD 755 tr
500 Syntax error, command unrecognized.
NOOP
200 Command okay
.......<cut>

I work in an environment where i have seen the 'creative' things opportunistic hackers can do - i don't believe i am being paranoid - just trying to be careful especially as I am not too familliar with *nix security model.

For example i notice the FTP and telnet servers require no authentication - does this mean all processes on the TiVO run as root regardless - then i would know 'not to get excited' about the last two digits of the chmod number.

All i need is a little help..... please ;-)

Posted by: Robert S

Despite my hints for clarification, this is the first time that you've mentioned that the TiVo will be exposed to an external network. In that case, yes, some careful consideration of security is required.

If you feel these scripts are dangerous, then you need to find out what user ID they will be running as. If they're running from a cron tab, then you have some control and a mode like 744 might make sense. If it's running from TiVoWeb, then the UID access controls aren't going to help, so you'd better be sure it's reasonably safe.

I have no idea if it's safe to expose the telnet and FTP ports. I'd probably be nervous! It might be better to SSH into the firewall or a bastion host and telnet to the TiVo from there.

The FTP error suggests that the problem is that the TiVo's FTP server at fault (which is what you actually asked, but I missed it, sorry).