On Jul 12, 2007, at 6:52 PM, Frank Barknecht wrote: > Hallo, > Hans-Christoph Steiner hat gesagt: // Hans-Christoph Steiner wrote: > >> On Jul 12, 2007, at 3:18 PM, Mathieu Bouchard wrote: >> >>> Last year I demonstrated that it is possible to make a very small >>> external that gives root access to the whole pd process. This >>> vulnerability only affects Miller's pd, including pd-0.41-0test04 >>> (which is the absolute latest). I have fixed that problem during >>> devel_0_39 and carried it into the desiredata branch. >>> >>> This problem is largely theoretical so far, as it requires an >>> external to play with the setuid/seteuid commands. I can't think of >>> any external that does that, except the small test that I made for >>> the purpose of verifying my claim. >>> >>> I haven't looked much for other possible breaches of root access. >> >> This is only possible if you are running Pd as root, which is general >> is not a good idea. If Pd is running as a different user, then you >> wouldn't be able to gain root access. > > Matju can comment better, but AFAIR in my tests his external also > worked with a setuid root Pd started as a normal user. You can check > this with the code, it's somewhere in the bug tracker. > > Anyways, making /usr/bin/pd setuid is not necessary anyway, as I wrote > in another mail.
"setuid root" means that the process will always run as root, no matter who starts it. So it's the same as running pd as root. .hc > > Ciao > -- > Frank Barknecht _ ______footils.org_ __goto10.org__ > > _______________________________________________ > [email protected] mailing list > UNSUBSCRIBE and account-management -> http://lists.puredata.info/ > listinfo/pd-list ------------------------------------------------------------------------ ---- I have the audacity to believe that peoples everywhere can have three meals a day for their bodies, education and culture for their minds, and dignity, equality and freedom for their spirits. - Martin Luther King, Jr. _______________________________________________ [email protected] mailing list UNSUBSCRIBE and account-management -> http://lists.puredata.info/listinfo/pd-list
