On Jul 12, 2007, at 3:18 PM, Mathieu Bouchard wrote: > On Thu, 12 Jul 2007, [EMAIL PROTECTED] wrote: > >> would it be possible to add an option to ask the user if he wants >> to chmod +s pd? some people told me it's dangerous. is it really? >> pd is already a powerful (read dangerous) software with the objet >> system, shell or netreceive... > > Last year I demonstrated that it is possible to make a very small > external that gives root access to the whole pd process. This > vulnerability only affects Miller's pd, including pd-0.41-0test04 > (which is the absolute latest). I have fixed that problem during > devel_0_39 and carried it into the desiredata branch. > > This problem is largely theoretical so far, as it requires an > external to play with the setuid/seteuid commands. I can't think of > any external that does that, except the small test that I made for > the purpose of verifying my claim. > > I haven't looked much for other possible breaches of root access.
This is only possible if you are running Pd as root, which is general is not a good idea. If Pd is running as a different user, then you wouldn't be able to gain root access. .hc > > _ _ __ ___ _____ ________ _____________ _____________________ ... > | Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC > Canada_______________________________________________ > PD-list@iem.at mailing list > UNSUBSCRIBE and account-management -> http://lists.puredata.info/ > listinfo/pd-list ------------------------------------------------------------------------ ---- As we enjoy great advantages from inventions of others, we should be glad of an opportunity to serve others by any invention of ours; and this we should do freely and generously. - Benjamin Franklin _______________________________________________ PD-list@iem.at mailing list UNSUBSCRIBE and account-management -> http://lists.puredata.info/listinfo/pd-list