World writable speakup files in Linux next

Kirk Reiser kirk at braille.uwo.ca
Mon Dec 13 08:36:58 EST 2010 

On Mon, 13 Dec 2010, Samuel Thibault wrote:

> That depends what you consider as security risks. No buffer overrun is
> enough for not compromising the kernel. Being able to change the way the
> speech synthesizer (that the owner of the machine uses to be able to
> control it) simply by being logged as a mere user on the machine, that
> might be considered as a security risk.  Think of it as being able to
> change the text font of the VGA console, you don't really want to allow
> users to be able to do that.  You also have potential Denial of Service
> by setting the volume to zero, setting the speed at maximum, etc. etc.
>
> Samuel

Hi Samuel: You could consider it a security risk in a highly unlikely
situation although I would rate it as more of an iritation than a
security risk.  As you point out if the owner/admin at the console is
being teased/bother/whatever by someone logged into the machine then
they can easily just remove the offending user.  One needs to sit back
from the hypothetical situation and think about it logically.  I am a
person in exactly the hypothetical situation you are trying to
suggest.  I am the administrator of a computer lab of many machines of
various opperating systems.  Many students and colleagues have access
to these systems on a daily basis.  I have never seen anything even
close to the type of condition we are hypothetically discussing.  I
work for a very large university.  My question of curiosity is simply
to determine why this is a possible concern in a very unlikely event.

If something is a security risk then we need to determine what it is
and how to fix the problem rather than having security through
obscurity.  BTW, I aggree with Chris that the best solution from my
perspective is to set-up a speakup group and use group writable bits.
I really don't think that is any less of a security risk however.

--
Kirk Reiser				The Computer Braille Facility
e-mail: kirk at braille.uwo.ca		University of Western Ontario
phone: (519) 661-3061

More information about the Speakup mailing list