Re: [Xastir] Trap for Young and Old
On Mon, Jun 23, 2014 at 6:36 AM, Liz wrote: > On Wed, 18 Jun 2014 21:31:29 -0700 (PDT) > "Curt, WE7U" wrote: > > > On Wed, 18 Jun 2014, Jason KG4WSV wrote: > > > > > On Wed, Jun 18, 2014 at 2:00 PM, Curt, WE7U > > > wrote: > > >> Xastir does this, but would you want to trust security of your > > >> system to a bunch of hobbyists? ;-) > > > > > > 'cause that's not something linux users are familiar with. :| > > > > I think we might have more of a lack of security-trained Linux people > > on our development team... > > > > > > >> Technically it isn't a problem: The AX.25 networking port is > > >> implemented similarly to ethernet ports in terms of permissions. > > >> > > >> For Xastir to be able to access the port, it needs root privileges. > > > > > > So you can't just chmod 666 /dev/ax25 (or whatever) so that xastir > > > can access it running as joe user? > > > > I would think that would work as well, so one would need to tweak the > > udev scripts perhaps. I'm no expert on that, having only hacked on > > them a few times myself for other reasons. This would be a bit more > > difficult for a newbie to figure out and hack on any given system. > > There may be details that change from OS to OS and from version to > > version. Worth a shot though as an alternate method. > > > > Got caught with the same problem this Sunday. > For Debian packaging it would be possible to insert a question into the > post-install script to ask if you want xastir set with permissions 4755 > - or whatever other solution is determined as best for the problem. > > I'm not sure how the calife or chiark-really alternates to sudo would > be better than the current system. > In my mind the update-xastir script is provided as a courtesy - a little optional tool to make things easier. If you manually update Xastir by downloading a new set of files from CVS and re-compiling, you will do the same thing - overwrite the xastir executable with a new one that has the default permissions. I don't really view this as a problem - I do realize it can be difficult to remember that you changed the permissions of the xastir executable when you first installed it. The only way I could see the script being modified is to have it look into the configuration file(s) in the ~/.xastir directory and determine if a least one AX25 interface is configured. If yes, then prompt the user asking if he/she would like to apply the 4755 permissions change. That's a level of sophistication I doubt was ever intended for that script, however. Lee - K5DAT ___ Xastir mailing list Xastir@lists.xastir.org http://xastir.org/mailman/listinfo/xastir
Re: [Xastir] Trap for Young and Old
On Tue, 24 Jun 2014, Liz wrote: On Mon, 23 Jun 2014 10:53:26 -0400 David A Aitcheson wrote: It depends how one sets the options in the config files; you can set certain programs to automatically be "sudo'd" without additional entering of a password. Me I just let them run and make me a semi-root user, that way I don't have to risk typing in a password when "nefarious" eyes are about. I have set my sudo that way, but we still haven't got a decision on an appropriate way to handle the need for xastir to have access to the ax25 port, without security risks. If this page isn't adequate, let's add to it and then point other Wiki pages to it: http://www.xastir.org/index.php/HowTo:AX.25 I don't know how to do it with a udev rule, as I've only hacked rules for hardware, and the hardware involved is different for each user. Same here. -- Curt, WE7U.http://wetnet.net/~we7u APRS Client Capabilities: http://wetnet.net/~we7u/aprs_capabilities.html ___ Xastir mailing list Xastir@lists.xastir.org http://xastir.org/mailman/listinfo/xastir
Re: [Xastir] Trap for Young and Old
On Mon, 23 Jun 2014 10:53:26 -0400 David A Aitcheson wrote: > It depends how one sets the options in the config files; you can set > certain programs to automatically be "sudo'd" without additional > entering of a password. Me I just let them run and make me a semi-root > user, that way I don't have to risk typing in a password when > "nefarious" eyes are about. I have set my sudo that way, but we still haven't got a decision on an appropriate way to handle the need for xastir to have access to the ax25 port, without security risks. I don't know how to do it with a udev rule, as I've only hacked rules for hardware, and the hardware involved is different for each user. Liz VK2XSE ___ Xastir mailing list Xastir@lists.xastir.org http://xastir.org/mailman/listinfo/xastir
Re: [Xastir] Trap for Young and Old
On 06/23/2014 06:36 AM, Liz wrote: > On Wed, 18 Jun 2014 21:31:29 -0700 (PDT) > "Curt, WE7U" wrote: > >> On Wed, 18 Jun 2014, Jason KG4WSV wrote: >> >>> On Wed, Jun 18, 2014 at 2:00 PM, Curt, WE7U >>> wrote: Xastir does this, but would you want to trust security of your system to a bunch of hobbyists? ;-) >>> 'cause that's not something linux users are familiar with. :| >> I think we might have more of a lack of security-trained Linux people >> on our development team... >> >> Technically it isn't a problem: The AX.25 networking port is implemented similarly to ethernet ports in terms of permissions. For Xastir to be able to access the port, it needs root privileges. >>> So you can't just chmod 666 /dev/ax25 (or whatever) so that xastir >>> can access it running as joe user? >> I would think that would work as well, so one would need to tweak the >> udev scripts perhaps. I'm no expert on that, having only hacked on >> them a few times myself for other reasons. This would be a bit more >> difficult for a newbie to figure out and hack on any given system. >> There may be details that change from OS to OS and from version to >> version. Worth a shot though as an alternate method. >> > Got caught with the same problem this Sunday. > For Debian packaging it would be possible to insert a question into the > post-install script to ask if you want xastir set with permissions 4755 > - or whatever other solution is determined as best for the problem. > > I'm not sure how the calife or chiark-really alternates to sudo would > be better than the current system. > > Liz > VK2XSE > ___ > Xastir mailing list > Xastir@lists.xastir.org > http://xastir.org/mailman/listinfo/xastir It depends how one sets the options in the config files; you can set certain programs to automatically be "sudo'd" without additional entering of a password. Me I just let them run and make me a semi-root user, that way I don't have to risk typing in a password when "nefarious" eyes are about. Dave KB3EFS -- David A Aitcheson david.aitche...@gmail.com Go Green! Print this email only when necessary. ___ Xastir mailing list Xastir@lists.xastir.org http://xastir.org/mailman/listinfo/xastir
Re: [Xastir] Trap for Young and Old
On Wed, 18 Jun 2014 21:31:29 -0700 (PDT) "Curt, WE7U" wrote: > On Wed, 18 Jun 2014, Jason KG4WSV wrote: > > > On Wed, Jun 18, 2014 at 2:00 PM, Curt, WE7U > > wrote: > >> Xastir does this, but would you want to trust security of your > >> system to a bunch of hobbyists? ;-) > > > > 'cause that's not something linux users are familiar with. :| > > I think we might have more of a lack of security-trained Linux people > on our development team... > > > >> Technically it isn't a problem: The AX.25 networking port is > >> implemented similarly to ethernet ports in terms of permissions. > >> > >> For Xastir to be able to access the port, it needs root privileges. > > > > So you can't just chmod 666 /dev/ax25 (or whatever) so that xastir > > can access it running as joe user? > > I would think that would work as well, so one would need to tweak the > udev scripts perhaps. I'm no expert on that, having only hacked on > them a few times myself for other reasons. This would be a bit more > difficult for a newbie to figure out and hack on any given system. > There may be details that change from OS to OS and from version to > version. Worth a shot though as an alternate method. > Got caught with the same problem this Sunday. For Debian packaging it would be possible to insert a question into the post-install script to ask if you want xastir set with permissions 4755 - or whatever other solution is determined as best for the problem. I'm not sure how the calife or chiark-really alternates to sudo would be better than the current system. Liz VK2XSE ___ Xastir mailing list Xastir@lists.xastir.org http://xastir.org/mailman/listinfo/xastir
Re: [Xastir] Trap for Young and Old
On Wed, 18 Jun 2014, Jason KG4WSV wrote: On Wed, Jun 18, 2014 at 2:00 PM, Curt, WE7U wrote: Xastir does this, but would you want to trust security of your system to a bunch of hobbyists? ;-) 'cause that's not something linux users are familiar with. :| I think we might have more of a lack of security-trained Linux people on our development team... Technically it isn't a problem: The AX.25 networking port is implemented similarly to ethernet ports in terms of permissions. For Xastir to be able to access the port, it needs root privileges. So you can't just chmod 666 /dev/ax25 (or whatever) so that xastir can access it running as joe user? I would think that would work as well, so one would need to tweak the udev scripts perhaps. I'm no expert on that, having only hacked on them a few times myself for other reasons. This would be a bit more difficult for a newbie to figure out and hack on any given system. There may be details that change from OS to OS and from version to version. Worth a shot though as an alternate method. -- Curt, WE7U.http://wetnet.net/~we7u APRS Client Capabilities: http://wetnet.net/~we7u/aprs_capabilities.html ___ Xastir mailing list Xastir@lists.xastir.org http://xastir.org/mailman/listinfo/xastir
Re: [Xastir] Trap for Young and Old
On Wed, Jun 18, 2014 at 2:00 PM, Curt, WE7U wrote: > Xastir does this, but would you want to trust security of your system to a > bunch of hobbyists? ;-) 'cause that's not something linux users are familiar with. :| > We do what we can, but I wouldn't say Xastir has been thoroughly gone > through from a security standpoint. It's better than a lot of programs, as > we took care when writing/modifying that portion of code, but there are no > guarantees. Yeah, and there's another lever of problems/challenges running SUID root (or SUID anything for that matter), and it really shouldn't be the xastir team's problem to give it that sort of scrutiny - it's complicated enough without dealing with changing EUIDs as you go along. > Technically it isn't a problem: The AX.25 networking port is implemented > similarly to ethernet ports in terms of permissions. > > For Xastir to be able to access the port, it needs root privileges. So you can't just chmod 666 /dev/ax25 (or whatever) so that xastir can access it running as joe user? -Jason kg4wsv ___ Xastir mailing list Xastir@lists.xastir.org http://xastir.org/mailman/listinfo/xastir
Re: [Xastir] Trap for Young and Old
On Wed, 18 Jun 2014, Jason KG4WSV wrote: chmod 4755 /usr/local/bin/xastir This is not a good idea - from a security standpoint it's very bad, and unless xastir is designed to drop/escalate the euid as needed you will end up with files in the users directory that are owned by root, leading to other problems. Xastir does this, but would you want to trust security of your system to a bunch of hobbyists? ;-) We do what we can, but I wouldn't say Xastir has been thoroughly gone through from a security standpoint. It's better than a lot of programs, as we took care when writing/modifying that portion of code, but there are no guarantees. The problem isn't xastir, it's ax25 networking. Maybe someone can offer a fix (e.g. udev rule) to solve the actual problem? Technically it isn't a problem: The AX.25 networking port is implemented similarly to ethernet ports in terms of permissions. For Xastir to be able to access the port, it needs root privileges. Since it is a bad idea to run Xastir as root, you run it as a normal user but do the "chmod 4755" thing against the executable. Hopefully those people who run that command have some idea of the implications to security. Because of this it was decided NOT to put it into the script. Those that need it can run the command separately, and hopefully read up on what it means prior. -- Curt, WE7U.http://wetnet.net/~we7u APRS Client Capabilities: http://wetnet.net/~we7u/aprs_capabilities.html ___ Xastir mailing list Xastir@lists.xastir.org http://xastir.org/mailman/listinfo/xastir
Re: [Xastir] Trap for Young and Old
On 06/18/2014 07:41 AM, Jason KG4WSV wrote: >> On Jun 17, 2014, at 7:41 PM, David A Aitcheson >> wrote: >> >> chmod 4755 /usr/local/bin/xastir > This is not a good idea - from a security standpoint it's very bad, and > unless xastir is designed to drop/escalate the euid as needed you will end up > with files in the users directory that are owned by root, leading to other > problems. > > The problem isn't xastir, it's ax25 networking. Maybe someone can offer a fix > (e.g. udev rule) to solve the actual problem? > > -Jason > kg4wsv > > ___ > Xastir mailing list > Xastir@lists.xastir.org > http://xastir.org/mailman/listinfo/xastir Try adding "calife" and or "chiark-really" to your system, they fixed a bunch of irritations for me. Dave KB3EFS -- David A Aitcheson david.aitche...@gmail.com Go Green! Print this email only when necessary. ___ Xastir mailing list Xastir@lists.xastir.org http://xastir.org/mailman/listinfo/xastir
Re: [Xastir] Trap for Young and Old
> On Jun 17, 2014, at 7:41 PM, David A Aitcheson > wrote: > > chmod 4755 /usr/local/bin/xastir This is not a good idea - from a security standpoint it's very bad, and unless xastir is designed to drop/escalate the euid as needed you will end up with files in the users directory that are owned by root, leading to other problems. The problem isn't xastir, it's ax25 networking. Maybe someone can offer a fix (e.g. udev rule) to solve the actual problem? -Jason kg4wsv ___ Xastir mailing list Xastir@lists.xastir.org http://xastir.org/mailman/listinfo/xastir
Re: [Xastir] Trap for Young and Old
Hi David..i t is a problem that ears its head if you use a AX25 Tnc port but it could impact other things at times i will do some testing of the update-xastir script with the line added an see if it works with each update thanks for the info David 73 David VK4BDJ On 18/06/14 12:45, David A Aitcheson wrote: Actually that line is in the file just commented out and replaced with "chmod 755 /usr/local/bin/xastir" Thus for Dave VK4BDJ's benefit a simple edit of the update-xastir script would fix the problem as long as update-xastir does not get changed with each update. Which would be the equal of a dog chasing its own tail endlessly. 73 Dave KB3EFS On 06/17/2014 08:41 PM, David A Aitcheson wrote: Curt/Tom, This occurrence leads me to wonder if we should consider adding "chmod 4755 /usr/local/bin/xastir" as the last line (or near to the last line) to the script ./update-xastir for the next release? 73 Dave KB3EFS On 06/17/2014 05:58 PM, David wrote: Hi All..A couple of days ago i used ./update-xastir on my Linux Mint 17 box update was ok but i found i couldnt access my AX25 tncport "socket: Operation" not permitted message came up in terminal that i started it in..went round and round trying to find the answer..not too much white hair to pull out I had a thought about the chmod of xastir that was in the HowTo:AX25 from the Xastir web site... went and did the "chmod 4755 /usr/local/bin/xastir" and bingo i was back in business obviously when i did the update it replaced the xastir bin file so needed the chmod again.. them's the breaks .ive added this one in my notebook so i wont get caught again 73 David VK4BDJ ___ Xastir mailing list Xastir@lists.xastir.org http://xastir.org/mailman/listinfo/xastir ___ Xastir mailing list Xastir@lists.xastir.org http://xastir.org/mailman/listinfo/xastir
Re: [Xastir] Trap for Young and Old
Actually that line is in the file just commented out and replaced with "chmod 755 /usr/local/bin/xastir" Thus for Dave VK4BDJ's benefit a simple edit of the update-xastir script would fix the problem as long as update-xastir does not get changed with each update. Which would be the equal of a dog chasing its own tail endlessly. 73 Dave KB3EFS On 06/17/2014 08:41 PM, David A Aitcheson wrote: > Curt/Tom, > > This occurrence leads me to wonder if we should consider adding "chmod > 4755 /usr/local/bin/xastir" as the last line (or near to the last line) > to the script ./update-xastir for the next release? > > 73 > Dave > KB3EFS > > > On 06/17/2014 05:58 PM, David wrote: >> Hi All..A couple of days ago i used ./update-xastir on my Linux >> Mint 17 >> box update was ok but i found i couldnt access my AX25 tncport >> "socket: Operation" not permitted message came up in terminal that i >> started >> it in..went round and round trying to find the answer..not too >> much white hair to pull out >> >> I had a thought about the chmod of xastir that was in the HowTo:AX25 >> from the Xastir web site... >> went and did the "chmod 4755 /usr/local/bin/xastir" >> and bingo i was back in business >> >> obviously when i did the update it replaced the xastir bin file so >> needed the chmod again.. >> >> them's the breaks .ive added this one in my notebook so i wont get >> caught again >> >> 73 David VK4BDJ >> ___ >> Xastir mailing list >> Xastir@lists.xastir.org >> http://xastir.org/mailman/listinfo/xastir >> -- David A Aitcheson david.aitche...@gmail.com Go Green! Print this email only when necessary. ___ Xastir mailing list Xastir@lists.xastir.org http://xastir.org/mailman/listinfo/xastir
Re: [Xastir] Trap for Young and Old
Curt/Tom, This occurrence leads me to wonder if we should consider adding "chmod 4755 /usr/local/bin/xastir" as the last line (or near to the last line) to the script ./update-xastir for the next release? 73 Dave KB3EFS On 06/17/2014 05:58 PM, David wrote: > Hi All..A couple of days ago i used ./update-xastir on my Linux > Mint 17 > box update was ok but i found i couldnt access my AX25 tncport > "socket: Operation" not permitted message came up in terminal that i > started > it in..went round and round trying to find the answer..not too > much white hair to pull out > > I had a thought about the chmod of xastir that was in the HowTo:AX25 > from the Xastir web site... > went and did the "chmod 4755 /usr/local/bin/xastir" > and bingo i was back in business > > obviously when i did the update it replaced the xastir bin file so > needed the chmod again.. > > them's the breaks .ive added this one in my notebook so i wont get > caught again > > 73 David VK4BDJ > ___ > Xastir mailing list > Xastir@lists.xastir.org > http://xastir.org/mailman/listinfo/xastir > -- David A Aitcheson david.aitche...@gmail.com Go Green! Print this email only when necessary. ___ Xastir mailing list Xastir@lists.xastir.org http://xastir.org/mailman/listinfo/xastir
