World writable speakup files in Linux next

acollins at icsmail.net acollins at icsmail.net
Mon Dec 13 09:15:05 EST 2010 

Hi all.  It seems to me that what we are discussing is a bit like
telling a normal user that he has to be root in order to view the
screen.  Not quite the same thing, but you get the idea.  Most folks
these days a re using a software synth, which relies on the sound card
in the system.  Most distros put access to the sound card in a special
audio or sound group.  If somebody tweaks the sound card, the softsynth
goes away too.  So I can't see why world rightable files for speakup is
such a big deal.  If there were something rightable that would allow a
malicious user to crash the system, that's a different matter.  If
somebody tweaks the synth volume, all that's necessary is for the
user/owner of the system is to adjust it back from another console where
he or she is logged in.  If something like this is regularly going on,
you as the owner/administrater of the machine would probably take steps
to either eliminate or restrain the malicious user.

I once had a person whom I had given an account on one of my machines,
who started doing things that I considered a security risk.  He was
compiling software, and using my machine to probe the universities
network.  I summarily removed his account.  When he complained that he
no longer had access, I told him that he knew what the rules were when
he got the account.  He chose to abuse his priveleges.

Kirk has had other issues like this, where people have broken in to his
machines and done damage.  He was able to track them down, and after
talking to them, and making sure that they knew that he knew who they
were, gave them to understand that such activities in the rfuture would
be severly dealt with.  To my knowledge the offender has not repeated
his behavior.

Yes, there are people out there who are malicious, and take great
delight in abusing other peoples property.  We can either be paranoid
about it, or take reasonable precautions, and very stern meassores when
problems occure.  My point?  Leave the files world rightable, and let
the system adinistrater tighten up security if he or she feels it
necessary.

Gene

>On Mon, 13 Dec 2010, Samuel Thibault wrote:
>
>> That depends what you consider as security risks. No buffer overrun is
>> enough for not compromising the kernel. Being able to change the way the
>> speech synthesizer (that the owner of the machine uses to be able to
>> control it) simply by being logged as a mere user on the machine, that
>> might be considered as a security risk.  Think of it as being able to
>> change the text font of the VGA console, you don't really want to allow
>> users to be able to do that.  You also have potential Denial of Service
>> by setting the volume to zero, setting the speed at maximum, etc. etc.
>>
>> Samuel
>
>Hi Samuel: You could consider it a security risk in a highly unlikely
>situation although I would rate it as more of an iritation than a
>security risk.  As you point out if the owner/admin at the console is
>being teased/bother/whatever by someone logged into the machine then
>they can easily just remove the offending user.  One needs to sit back
>from the hypothetical situation and think about it logically.  I am a
>person in exactly the hypothetical situation you are trying to
>suggest.  I am the administrator of a computer lab of many machines of
>various opperating systems.  Many students and colleagues have access
>to these systems on a daily basis.  I have never seen anything even
>close to the type of condition we are hypothetically discussing.  I
>work for a very large university.  My question of curiosity is simply
>to determine why this is a possible concern in a very unlikely event.
>
>If something is a security risk then we need to determine what it is
>and how to fix the problem rather than having security through
>obscurity.  BTW, I aggree with Chris that the best solution from my
>perspective is to set-up a speakup group and use group writable bits.
>I really don't think that is any less of a security risk however.
>
>--
>Kirk Reiser				The Computer Braille Facility
>e-mail: kirk at braille.uwo.ca		University of Western Ontario
>phone: (519) 661-3061
>_______________________________________________
>Speakup mailing list
>Speakup at braille.uwo.ca
>http://speech.braille.uwo.ca/mailman/listinfo/speakup

More information about the Speakup mailing list