Kodi Webserver on Port 80. Underlying weirdness that I don't understand.
#1
OK, the goal is simple. I run Kodi on a dedicated HTPC. Nothing is on port 80 and I want to make it easy for family to use the web interface. Trivial rally. So Wanted to put Kodi's webservice on port 80.

It's running on a Linux box (mint 19.3) and this will of OS dependent but fairly Linux generic. Essentially low numbered ports are reserved for use by root only and I can run Kodi on port 80 as root without drama. All good. But that is no solution, an app as comolex as Kodi should under no circumstances be running as root.

So now comes the oddness. There are ways and means to do this on Linux.

Method 1: authbind
Easy enough I installed authbind, I configured it. I even tested with
Code:
nc -l 80
(which is just a standard way of listening on a port. Without authbind it returns
Code:
nc: Permission denied
and with authbind it listens on port 80 just fine. But Kodi ... nope, with authbind just complains that web server failed to start. Even
Code:
authbind --deep
fails (that just grants all kodi's children (processes and threads permission to bind to port 80).

Method 2: setcap
In modern Linux you can grant binaries specific capabilities and a fairly standard solutuion for permitting the binding to port 80 (or all low numbered ports really) looks like:
Code:
sudo setcap cap_net_bind_service+ep /usr/bin/kodi
Alas also no go. Doesn't work. Kodi still complains the web server fails to start when I put it on port 80.

Method 3: rerouting
OK this works:
Code:
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
That is, run Kodi on 8080 and redirect requests from 80 to 8080. Not ideal but it works.

What blows my mind is that authbind and setcap fail.

Has anyone got a clue why that might be?
Reply
#2
setcap should work, but you have to set it on the real binary, which changes depending on platform, e.g. /usr/lib/x86_64-linux-gnu/kodi/kodi-x11
/usr/bin/kodi is just a wrapper script
Reply
#3
(2020-05-18, 12:20)wsnipex Wrote: setcap should work, but you have to set it on the real binary, which changes depending on platform, e.g. /usr/lib/x86_64-linux-gnu/kodi/kodi-x11
/usr/bin/kodi is just a wrapper script

Doh! I must be half asleep to have missed that. authbind too has issues with shell scripts. Will drill into that.
Reply
#4
Bad news. Didn't work.

Checked in the process tree to confirm the binary (as that shell script is a tad tedious to read) and yes it was indeed as you described so:
Code:
sudo setcap cap_net_bind_service+ep /usr/lib/x86_64-linux-gnu/kodi/kodi-x11
And started kodi and it still complains it can't start the web server. Hmmmm. I wonder if there's a way to check the capabilities of the running process. Can certainly see it on the file:
Code:
$ getcap /usr/lib/x86_64-linux-gnu/kodi/kodi-x11
getcap /usr/lib/x86_64-linux-gnu/kodi/kodi-x11 = cap_net_bind_service+ep
Ah, the vagaries of Kodi and port binding.
Reply
#5
how do you start kodi? If you use a systemd service you need to set capabilities in the service file
Reply
#6
(2020-05-19, 08:19)wsnipex Wrote: how do you start kodi? If you use a systemd service you need to set capabilities in the service file

By running /usr/bin/kodi.

When testing from a terminal window. In day to day use from a desktop shortcut that runs that usually. Which is just a drag drop form a Cinnamon menu item. Which in practice is a file called Kodi.desktop that contains:
Code:
[Desktop Entry]
Version=1.0
Name=Kodi
GenericName=Media Center
Comment=Manage and view your media
Exec=kodi
Icon=kodi
Terminal=false
Type=Application
Categories=AudioVideo;Video;Player;TV;
Actions=Fullscreen;Standalone;

[Desktop Action Fullscreen]
Name=Open in fullscreen
Exec=kodi -fs

[Desktop Action Standalone]
Name=Open in standalone mode
Exec=kodi --standalone
and clearly just runs kodi, and relies on:
Code:
$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
to do its work and:
Code:
$ which kodi
/usr/bin/kodi
comforts me that there are no surprises in /usr/local/sbin, /usr/local/bin or /usr/sbin ;-)
Reply

Logout Mark Read Team Forum Stats Members Help
Kodi Webserver on Port 80. Underlying weirdness that I don't understand.0