artswrapper suid?
Barry K. Nathan
barryn at pobox.com
Mon Oct 25 13:35:25 UTC 2004
On Mon, Oct 25, 2004 at 09:07:10AM -0400, Neal D. Becker wrote:
> Arjan van de Ven wrote:
>
> > On Mon, Oct 25, 2004 at 05:59:57AM -0700, Barry K. Nathan wrote:
> >> On Mon, Oct 25, 2004 at 02:44:56PM +0200, Arjan van de Ven wrote:
> >> > why would sound stuff need to be setuid root ? the PAM console code
> >> > will make sound devices accessible to local users already.
> >>
> >> So it can run at realtime scheduling priority?
> >
> > sounds like a bad idea to me...
> >
> Why?
I was going to ask that too, but then I Googled and found this:
http://kdenews.unixcode.org/?node=news&action=article;18
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=266760
http://bugs.kde.org/show_bug.cgi?id=88401
http://bugs.kde.org/show_bug.cgi?id=86426
Even if artsd isn't running as root, the fact that it obtains realtime
priority (via a setuid artswrapper) lets it take down the system
(whether with an intentional denial-of-service attack or because of
accidental bugs).
-Barry K. Nathan <barryn at pobox.com>
More information about the fedora-test-list
mailing list