Re: [PD] Pd-0.39.2-extended-rc4 released on ubuntu
Hans-Christoph Steiner wrote: On Jul 13, 2007, at 1:43 AM, Frank Barknecht wrote: Debian with libpam-modules 0.79-4. I wonder how to set up something like this in a package. Too bad i daresay you don't. how about adding documentation to the README that explain how to setup the /etc/security/limits.conf just for the archives i repeat the steps: make sure, your /etc/security/limits.conf holds these 3 lines: @audio - rtprio 99 @audio - memlock 25 @audio - nice -10 imho, it would be not such a good idea to do that in the package-setup, at least _without asking_ the user whether they really want that. even though the adding these lines is far from as dangerous as the setuid(), it still imposes the risk of anyone being a member of group audio to freeze the computer, which - to my knowledge - is a security risk. if you do think that it is too much, to ask people to read the readme and do it yourself, you could use debconf (on debian/ubuntu) to ask the user whether they really want that. on non-debian systems i don't know, but surely there are mechanisms that allow the same. there isn't something like /etc/security.d/, where packages can install things. Anyone have any ideas along that line? I guess one the problem is, that /etc/security/limits.conf is not a per-application but a per-user (including per-group) setting. so it does have side-effects, which is probably the reason why there is no such thing as you asked for. fmgasd.r IOhannes ___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/listinfo/pd-list
Re: [PD] Pd-0.39.2-extended-rc4 released on ubuntu
IOhannes m zmoelnig wrote: just for the archives i repeat the steps: make sure, your /etc/security/limits.conf holds these 3 lines: oops, should have read the entire thread before answering. so i know that frank has already posted this (i thought that miller was probably referring to an older post which i had missed) mgfa.sdr IOhannes ___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/listinfo/pd-list
Re: [PD] Pd-0.39.2-extended-rc4 released on ubuntu
Hallo, Miller Puckette hat gesagt: // Miller Puckette wrote: Pd does a seteuid(setuid()) to un-get root priveliges if run as setuid, after its priority gets promoted, so that it runs as the user who started it. But there are apparently loopholes, as Mathieu has found. I'm trying to repeat Frank's trick with /etc/security/limits.conf, so far without success, but if that works it would be much preferable to making Pd setuid root. Here it works for several months at least: (~)-$ ls -l /usr/bin/pd -rwxr-xr-x 1 root root 809768 May 31 19:05 /usr/bin/pd (~)-$ /usr/bin/pd -rt priority 8 scheduling enabled. priority 6 scheduling enabled. Debian with libpam-modules 0.79-4. Ciao -- Frank Barknecht _ __footils.org_ __goto10.org__ ___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/listinfo/pd-list
Re: [PD] Pd-0.39.2-extended-rc4 released on ubuntu
On Jul 13, 2007, at 1:43 AM, Frank Barknecht wrote: Hallo, Miller Puckette hat gesagt: // Miller Puckette wrote: Pd does a seteuid(setuid()) to un-get root priveliges if run as setuid, after its priority gets promoted, so that it runs as the user who started it. But there are apparently loopholes, as Mathieu has found. I'm trying to repeat Frank's trick with /etc/security/limits.conf, so far without success, but if that works it would be much preferable to making Pd setuid root. Here it works for several months at least: (~)-$ ls -l /usr/bin/pd -rwxr-xr-x 1 root root 809768 May 31 19:05 /usr/bin/pd (~)-$ /usr/bin/pd -rt priority 8 scheduling enabled. priority 6 scheduling enabled. Debian with libpam-modules 0.79-4. I wonder how to set up something like this in a package. Too bad there isn't something like /etc/security.d/, where packages can install things. Anyone have any ideas along that line? I guess one answer is to use Ubuntu Studio... ;) .hc Ciao -- Frank Barknecht _ __footils.org_ __goto10.org__ ___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/ listinfo/pd-list The arc of history bends towards justice. - Dr. Martin Luther King, Jr. ___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/listinfo/pd-list
Re: [PD] Pd-0.39.2-extended-rc4 released on ubuntu
Aha, on the next boot it worked. Thanks! Miller On Fri, Jul 13, 2007 at 07:43:10AM +0200, Frank Barknecht wrote: Hallo, Miller Puckette hat gesagt: // Miller Puckette wrote: Pd does a seteuid(setuid()) to un-get root priveliges if run as setuid, after its priority gets promoted, so that it runs as the user who started it. But there are apparently loopholes, as Mathieu has found. I'm trying to repeat Frank's trick with /etc/security/limits.conf, so far without success, but if that works it would be much preferable to making Pd setuid root. Here it works for several months at least: (~)-$ ls -l /usr/bin/pd -rwxr-xr-x 1 root root 809768 May 31 19:05 /usr/bin/pd (~)-$ /usr/bin/pd -rt priority 8 scheduling enabled. priority 6 scheduling enabled. Debian with libpam-modules 0.79-4. Ciao -- Frank Barknecht _ __footils.org_ __goto10.org__ ___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/listinfo/pd-list ___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/listinfo/pd-list
Re: [PD] Pd-0.39.2-extended-rc4 released on ubuntu
On Thu, 12 Jul 2007, Hans-Christoph Steiner wrote: This is only possible if you are running Pd as root, which is general is not a good idea. If Pd is running as a different user, then you wouldn't be able to gain root access. We are *only* talking about setuid (chmod +s) and not starting pd from a root login. If pd is running as user eighthave but with setuid root, pd is dropping priviledges to be effectively just eighthave, but does it the wrong way, causing it to be able to regain effective root later. I reported this bug last november: http://lists.puredata.info/pipermail/pd-dev/2006-11/007910.html I have fixed that bug in devel_0_39 on 2006.11.23. _ _ __ ___ _ _ _ ... | Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC Canada___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/listinfo/pd-list
Re: [PD] Pd-0.39.2-extended-rc4 released on ubuntu
On Fri, 13 Jul 2007, Frank Barknecht wrote: Regarding patco's problem with realtime mode: chmod +s is not a good idea as it's a potentially big security hole opening up your system for all kind of local exploits. Frankly, on the average machine, almost all important files are in the same user account that runs pd. In any pd file it's easy to append a line like this: #X savetofile .pdsettings /home/matju; Which doesn't appear in a patch and causes pd to copy that patch over my .pdsettings and works even when using -noloadbang. Have fun. (PS: I don't really have a .pdsettings, I'm just simulating something that could hurt...) _ _ __ ___ _ _ _ ... | Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC Canada___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/listinfo/pd-list
Re: [PD] Pd-0.39.2-extended-rc4 released on ubuntu
On Fri, 13 Jul 2007, [EMAIL PROTECTED] wrote: Pd does a seteuid(setuid()) to un-get root priveliges if run as setuid, after its priority gets promoted, so that it runs as the user who started it. But there are apparently loopholes, as Mathieu has found. what you mean is that your pd does a seteuid(getuid()). What you need to know is that my pd does a setuid(getuid()) instead. You can find the relevant information by consulting: man setuid _ _ __ ___ _ _ _ ... | Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC Canada___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/listinfo/pd-list
Re: [PD] Pd-0.39.2-extended-rc4 released on ubuntu
On Jul 12, 2007, at 3:18 PM, Mathieu Bouchard wrote: On Thu, 12 Jul 2007, [EMAIL PROTECTED] wrote: would it be possible to add an option to ask the user if he wants to chmod +s pd? some people told me it's dangerous. is it really? pd is already a powerful (read dangerous) software with the objet system, shell or netreceive... Last year I demonstrated that it is possible to make a very small external that gives root access to the whole pd process. This vulnerability only affects Miller's pd, including pd-0.41-0test04 (which is the absolute latest). I have fixed that problem during devel_0_39 and carried it into the desiredata branch. This problem is largely theoretical so far, as it requires an external to play with the setuid/seteuid commands. I can't think of any external that does that, except the small test that I made for the purpose of verifying my claim. I haven't looked much for other possible breaches of root access. This is only possible if you are running Pd as root, which is general is not a good idea. If Pd is running as a different user, then you wouldn't be able to gain root access. .hc _ _ __ ___ _ _ _ ... | Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC Canada___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/ listinfo/pd-list As we enjoy great advantages from inventions of others, we should be glad of an opportunity to serve others by any invention of ours; and this we should do freely and generously. - Benjamin Franklin ___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/listinfo/pd-list
Re: [PD] Pd-0.39.2-extended-rc4 released on ubuntu
Hmm... setuid root by default on Pd is kind of scary. It's very far from secure. I wonder if there isn't any other way. Have you tried jack? hi hans, i understand, but for me it's the only way (setuid) to avoid glitches. i am using jack with -rt. maybe an option when installing pd-extended: do you want to chmod +s pd? do you want to use -rt? do you want to use alsamidi? choose between oss, alsa, jack? i know that it doesn't really make sense for windows... pat - Original Message - From: Hans-Christoph Steiner [EMAIL PROTECTED] To: patrick [EMAIL PROTECTED] Cc: Pd pd-list@iem.at Sent: Thursday, July 12, 2007 5:11 PM Subject: Re: [PD] Pd-0.39.2-extended-rc4 released on ubuntu Hmm... setuid root by default on Pd is kind of scary. It's very far from secure. I wonder if there isn't any other way. Have you tried jack? .hc On Jul 12, 2007, at 4:06 PM, patrick wrote: hi georg, yes i have -rt in my startup flags. i really need to make pd setuid to avoid the glitches. pat - Original Message - From: Georg Holzmann [EMAIL PROTECTED] To: patrick [EMAIL PROTECTED] Cc: Pd pd-list@iem.at Sent: Thursday, July 12, 2007 2:45 PM Subject: Re: [PD] Pd-0.39.2-extended-rc4 released on ubuntu Hallo! the other thing is only related to my setup i guess. i would like to know if anyone experience this. if i don't chmod +s /usr/local/ bin/pd then i have many glitches in pd (xruns). i am using ubuntu studio (feisty) with the realtime kernel. are you starting with pd -rt ? LG Georg ___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/listinfo/pd-list ___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/ listinfo/pd-list http://at.or.at/hans/ ___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/listinfo/pd-list
Re: [PD] Pd-0.39.2-extended-rc4 released on ubuntu
Hallo, Hans-Christoph Steiner hat gesagt: // Hans-Christoph Steiner wrote: On Jul 12, 2007, at 2:45 PM, Georg Holzmann wrote: Hallo! the other thing is only related to my setup i guess. i would like to know if anyone experience this. if i don't chmod +s /usr/local/bin/pd then i have many glitches in pd (xruns). i am using ubuntu studio (feisty) with the realtime kernel. are you starting with pd -rt ? On GNU/Linux, does Pd use realtime or regular mode by default? It sounds like maybe -rt should be added to the /usr/local/lib/pd/ default.pdsettings that's included in the package. No, better not: It's dangerous, if your patch is buggy and pd runs wild. I only use -rt during performances. Regarding patco's problem with realtime mode: chmod +s is not a good idea as it's a potentially big security hole opening up your system for all kind of local exploits. And it's not necessary, if your system is set up correctly. Correctly means, that you need a current libpam (Ubuntustudio has it) and you need to set up /etc/security/limits.conf accordingly. Accordingly means, have something like this in it: @audio - nice-10 @audio - rtprio 99 @audio - memlock -1 and your user needs to be in group audio then. If even then, Pd's realtime mode isn't activated, then something much deeper is wrong. Ciao -- Frank Barknecht _ __footils.org_ __goto10.org__ ___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/listinfo/pd-list
Re: [PD] Pd-0.39.2-extended-rc4 released on ubuntu
Pd does a seteuid(setuid()) to un-get root priveliges if run as setuid, after its priority gets promoted, so that it runs as the user who started it. But there are apparently loopholes, as Mathieu has found. I'm trying to repeat Frank's trick with /etc/security/limits.conf, so far without success, but if that works it would be much preferable to making Pd setuid root. cheers Miller On Thu, Jul 12, 2007 at 10:40:49PM -0400, Hans-Christoph Steiner wrote: On Jul 12, 2007, at 6:52 PM, Frank Barknecht wrote: Hallo, Hans-Christoph Steiner hat gesagt: // Hans-Christoph Steiner wrote: On Jul 12, 2007, at 3:18 PM, Mathieu Bouchard wrote: Last year I demonstrated that it is possible to make a very small external that gives root access to the whole pd process. This vulnerability only affects Miller's pd, including pd-0.41-0test04 (which is the absolute latest). I have fixed that problem during devel_0_39 and carried it into the desiredata branch. This problem is largely theoretical so far, as it requires an external to play with the setuid/seteuid commands. I can't think of any external that does that, except the small test that I made for the purpose of verifying my claim. I haven't looked much for other possible breaches of root access. This is only possible if you are running Pd as root, which is general is not a good idea. If Pd is running as a different user, then you wouldn't be able to gain root access. Matju can comment better, but AFAIR in my tests his external also worked with a setuid root Pd started as a normal user. You can check this with the code, it's somewhere in the bug tracker. Anyways, making /usr/bin/pd setuid is not necessary anyway, as I wrote in another mail. setuid root means that the process will always run as root, no matter who starts it. So it's the same as running pd as root. .hc Ciao -- Frank Barknecht _ __footils.org_ __goto10.org__ ___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/ listinfo/pd-list I have the audacity to believe that peoples everywhere can have three meals a day for their bodies, education and culture for their minds, and dignity, equality and freedom for their spirits. - Martin Luther King, Jr. ___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/listinfo/pd-list ___ PD-list@iem.at mailing list UNSUBSCRIBE and account-management - http://lists.puredata.info/listinfo/pd-list
