World writable speakup files in Linux next
Kirk Reiser
kirk at braille.uwo.ca
Mon Dec 13 08:36:58 EST 2010
On Mon, 13 Dec 2010, Samuel Thibault wrote:
> That depends what you consider as security risks. No buffer overrun is
> enough for not compromising the kernel. Being able to change the way the
> speech synthesizer (that the owner of the machine uses to be able to
> control it) simply by being logged as a mere user on the machine, that
> might be considered as a security risk. Think of it as being able to
> change the text font of the VGA console, you don't really want to allow
> users to be able to do that. You also have potential Denial of Service
> by setting the volume to zero, setting the speed at maximum, etc. etc.
>
> Samuel
Hi Samuel: You could consider it a security risk in a highly unlikely
situation although I would rate it as more of an iritation than a
security risk. As you point out if the owner/admin at the console is
being teased/bother/whatever by someone logged into the machine then
they can easily just remove the offending user. One needs to sit back
from the hypothetical situation and think about it logically. I am a
person in exactly the hypothetical situation you are trying to
suggest. I am the administrator of a computer lab of many machines of
various opperating systems. Many students and colleagues have access
to these systems on a daily basis. I have never seen anything even
close to the type of condition we are hypothetically discussing. I
work for a very large university. My question of curiosity is simply
to determine why this is a possible concern in a very unlikely event.
If something is a security risk then we need to determine what it is
and how to fix the problem rather than having security through
obscurity. BTW, I aggree with Chris that the best solution from my
perspective is to set-up a speakup group and use group writable bits.
I really don't think that is any less of a security risk however.
--
Kirk Reiser The Computer Braille Facility
e-mail: kirk at braille.uwo.ca University of Western Ontario
phone: (519) 661-3061
More information about the Speakup
mailing list