There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

Why can ffmpeg kmsgrab capture the tty without root permissions?

I’m using sunshine for remote gaming on my Linux PC. Because I use Wayland and don’t have an Nvidia I use kmsgrab for capture (under the hood sunshine uses ffmpeg).

I have noticed that I can enter tty and kmsgrab will capture it as well. If it just captured after logging in my user I wouldn’t be surprised, but it also captures the login screen.

I autostart it at login using my systemd user configuration (not systemwide) so it should just have my user’s permission level. I get the same results if I put it in KDE’s autostart section, so it’s not a systemd thing.

Why does that work? Shouldn’t you need special privileges to capture everything?

The installation instructions tells you to do sudo setcap -r $(readlink -f $(which sunshine)) is this the reason why it works? What does the command do exactly?

wildbus8979 ,

setcap adds Linux capabilities to an executable. Capabilities are elevated privileged within the kernel for specific privileged “actions”.

docs.redhat.com/…/linux_capabilities_and_seccomp#…

man7.org/linux/man-pages/…/capabilities.7.html

CasualTee ,

Enable permissions for KMS capture.

Warning

Capture of most Wayland-based desktop environments will fail unless this step is performed.

Note

cap_sys_admin may as well be root, except you don’t need to be root to run it. It is necessary to allow Sunshine to use KMS capture.

Enable


<span style="color:#323232;">   sudo setcap cap_sys_admin+p $(readlink -f $(which sunshine))
</span>

Disable (for Xorg/X11 only)


<span style="color:#323232;">   sudo setcap -r $(readlink -f $(which sunshine))
</span>

Their install instruction are pretty clear to me. The actual instruction is to run

sudo setcap cap_sys_admin+p $(readlink -f $(which sunshine))

This is vaguely equivalent to setting the setuid bit on programs such as sudo which allows you to run as root. Except that the program does not need to be owned by root. There are also some other subtleties, but as they say, it might as well be the same as running the program directly as root. For the exact details, see here: www.man7.org/linux/…/capabilities.7.html and look for CAP_SYS_ADMIN.

In other words, the commands gives all powers to the binary. Which is why it can capture everything.

Using KMS capture seems way overkill for the task I would say. But maybe the wayland protocol was not there yet when this came around or they need every bit of performance they can gain. Seeing the project description, I would guess on the later as a cloud provider would dedicate a machine per user and would then wipe and re-install between two sessions.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •