Bug 22420

Summary: Tvheadend's password is processed immediately, before it can be copied.
Product: Mageia Reporter: Doug Laidlaw <laidlaws>
Component: RPM PackagesAssignee: Florian Hubold <doktor5000>
Status: RESOLVED OLD QA Contact:
Severity: normal    
Priority: Normal CC: doktor5000, marja11
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: tvheadend-4.0.9-1.mga6.x86_64 CVE:
Status comment:

Description Doug Laidlaw 2018-01-19 13:47:31 CET 
Description of problem:
Whend tvheadend is started via systemctl, the random password is changed to a hash string immediately, before I have a chance to copy it and enter it at login.

Version-Release number of selected component (if applicable):


How reproducible:
Install tvheadend and run "systemctl start tvheadend.service.

Steps to Reproduce:
1.Install tvheadend
2.Run "systemctl start tvheadend.service."
3. Try to log in.

I can't install Cauldron, so I haven't been able to test the  mga7 RPM.
Comment 1 Doug Laidlaw 2018-01-19 17:29:49 CET 
I got around this problem by copying the random password to a temporary location BEFORE starting tvheadend.
Comment 2 Marja Van Waes 2018-01-19 21:38:17 CET 
Assigning to the registered tvheadend maintainer.

CC: (none) => marja11
Assignee: bugsquad => doktor5000

Comment 3 Doug Laidlaw 2018-01-22 07:03:15 CET 
The TVheadend service app for LibreELEC has been disabled due to a bug, but the Mageia RPM gave no problems once I could access it.  I could run the command as user, so there is no conflict here.
Comment 4 Florian Hubold 2018-02-07 19:52:43 CET 
There's not much I can do about that. The readme that is shown during package installation /usr/share/doc/tvheadend/README.install.urpmi shows where the default access control file is located ( /var/lib/tvheadend/.hts/tvheadend/accesscontrol/1 ) and that the default password needs to be changed after first login via the webui.


That initial cleartext password is replaced by a hashed one during tvheadend start. But you can easily access it before starting it. If you start tvheadend without checking the default password as mentioned in the readme, how do you suggest I should fix that?

From another check, the "hashed" password is actually the cleartext password, prefixed by TVHeadend-Hide- and base64 encoded. So as root you can just pass the password2 value from your generated /var/lib/tvheadend/.hts/tvheadend/accesscontrol/ file and pass it to base64 -d and then you have the password.



You can still set a different initial password, in a similar way as the package does this during installation, see:

$ rpm -q --scripts tvheadend

[...]

# check if the access control file still has the initial dummy password, and
# replace the dummy password by a random, 12-character pwgen-generated password
if  grep -q '"password": "dummypassword"' /var/lib/tvheadend/.hts/tvheadend/accesscontrol/1; then
  sed -i "s,\"password\": \"dummypassword\",\"password\": \"$(pwgen -s 12 1)\"," /var/lib/tvheadend/.hts/tvheadend/accesscontrol/1
fi


Actually upstream closed a similar request to yours, see https://tvheadend.org/issues/4327 - so you could just do the same as proposed there with --noacl.

CC: (none) => doktor5000

Comment 5 Doug Laidlaw 2018-02-08 01:21:41 CET 
Thanks Doktor.  Something seems to have changed.  This was always a  nuisance, but usually I could succeed on about the fourth reinstall.  The initial random password doesn't seem to be present in other distros.  I thought it was a Mageia-only thing.

>"That initial cleartext password is replaced by a hashed one during tvheadend start. But you can easily access it before starting it. If you start tvheadend without checking the default password as mentioned in the readme, how do you suggest I should fix that?"
>

That is how I got around the problem, but it isn't what the README suggests.  I need to copy the password to a temporary location, start tvheadend, then paste the password from the temporary location into the login window.  I can set a new password in the setup page.

An alternative method:  run tvheadend -C in an xterm.  That creates a directory $HOME/.hts.  I opened the Web config  using that folder, set my own password and copied the hash from there to overwrite the ones in /var/lib/tvheadend.

The link to lonelycoder no longer works.

The setup for tvheadend has always been messy.  This bug seems to be an upstream problem, and should be closed as such.  What category should I give it -- "Won't Fix"?
Comment 6 Florian Hubold 2018-02-13 19:59:31 CET 
(In reply to Doug Laidlaw from comment #5)
> The initial random password doesn't seem to be present in other distros.  I
> thought it was a Mageia-only thing.

Well, this is more of a convenience thing, and this was present in the package before I imported it, but I thought it makes sense. I can also remove the default configuration, but then you can access it without password and anyone visiting could set it, this is usually not how web applications should work.

> That is how I got around the problem, but it isn't what the README suggests.

Feel free to suggest any changes to the README that you think would make it more understandable.

For completeness, as you didn't mention that part, this is how you can translate it to the actual password once it has been hashed after first start:

awk '/password2/ {gsub("\"",""); print $2}' /var/lib/tvheadend/.hts/tvheadend/accesscontrol/* | base64 -d | sed 's|TVHeadend-Hide-||'


> The link to lonelycoder no longer works.

I'll update those when I get around to looking at the package again.

> The setup for tvheadend has always been messy.  This bug seems to be an
> upstream problem, and should be closed as such.  What category should I give
> it -- "Won't Fix"?

Yep that would be it, but usually the packager would choose that.

Status: NEW => ASSIGNED

Comment 7 Doug Laidlaw 2020-01-13 08:26:26 CET 
tvheadend is no longer suggested by Kodi.

Resolution: (none) => OLD
Status: ASSIGNED => RESOLVED