Start mm-renderer and configure context handle policies, PPS directories, logging,
and permissions
Synopsis:
mm-renderer [-cefk] [-N nobody] [-oq] -r statepath -s serverpath
[-U mmruser] [-v[v...]]
Options:
- -c
- Destroy a context when the primary handle is closed.
- -e
- Log to stderr instead of slog2info.
- -f
- Stay in the foreground.
- -k
- Clean up any stale PPS objects from the previous instantiation of mm-renderer.
- -N nobody
- Switch to the user ID (uid) and group IDs (gids) of the current client when processing a media
request, and run as user nobody at all other times. This way, mm-renderer
can play (or record to) only files that the client has permission to read (or write) directly.
You should choose a user who can't open any files, to prevent unwanted access when a client
tries to open a file unexpectedly. Because mm-renderer
spends as long as possible executing as nobody, this option reduces the time window during
which an attacker with knowledge of security vulnerabilities (e.g., bugs in open source codecs) can damage
the files of other users.
- -o
- Disallow the opening of existing contexts (also implies -c).
- -q
- Decrease output verbosity. This option works opposite to -v.
- -r statepath
- The location of the PPS state directory, which stores the objects
used by the mm-renderer process. The default location is
/pps/services/multimedia/renderer.
- If you want to run multiple mm-renderer instances,
you must provide different paths in their -r options.
Running multiple instances can improve security. For example, you could run one instance
accessible to only privileged system processes and another accessible to client applications.
This way, no client could overwrite system memory with buggy or harmful code.
Note: This option could change in a future mm-renderer release
if the service is redesigned to not use PPS.
- -s serverpath
- The path of the control PPS object. The default path is
/pps/services/multimedia/renderer/control.
- We strongly recommend that the specified path does not contain a slash (/).
If the path starts with this character, it's interpreted as an absolute path and is either unsafe,
because mm-renderer won't find the object when event API functions are called, or
redundant, because you must specify the default PPS state directory or the same one as in the -r
option. If the path doesn't start with a slash (but still contains one), it's interpreted as a relative path within
the state directory, but this too breaks the event API functions.
- You can safely specify a path without a slash because this names only the file and so, the control PPS object
will be kept in the default state directory or the one given in -r.
The only constraint is that serverpath can't be the same name as another object that
mm-renderer creates in that directory, such as context or
component.
Note:
If you specify a non-default path, your client code must provide that same path when calling
mmr_connect().
This option could change in a future mm-renderer release
if the service is redesigned to not use PPS.
- -U mmruser
- Switch to the user ID (uid) and group IDs (gids) of mmruser
during initialization. If you didn't manually create the PPS state directory and control object beforehand
(which can be done as explained in the
Prerequisites subsection),
mm-renderer will create this directory and this object as mmruser.
- Because clients need read-write access to only the control PPS object and read-only access to all other
PPS objects used by mm-renderer,
mmruser should be a dedicated user that no other process runs as.
If you run applications as this user, they could accidentally or intentionally modify or delete PPS objects
(which disrupts mm-renderer's operation).
- If you don't use -N as well, mm-renderer will access all of
its inputs and outputs as mmruser, regardless of the client's credentials.
It may be reasonable to let untrusted clients talk to mm-renderer, but you should choose an
mmruser that can access only a specific set of media files that you want to let untrusted
clients play.
Note: This option could change in a future mm-renderer release
if the service is redesigned to not use PPS.
- -v
- Increase output verbosity. Messages are written to the slog2info log.
-
The -v option is handy when you're trying to understand the operation of
mm-renderer, but when lots of -v arguments are used, the logging becomes
quite significant and can change timing noticeably. The verbosity setting is good for systems under development
but should probably not be used in production systems or when performance testing.
Description:
The mm-renderer command line starts the multimedia renderer.
This service responds to media playback requests and delivers events so clients can monitor media operations.
Through command options, you can adjust the policies for playback context handles and logging, choose non-default PPS
control object and state directories, set quiet or verbose mode, and set the process's default uid and
gid.