World writable speakup files in Linux next
Frost
znvyyvfgf at gmail.com
Mon Dec 13 09:53:06 EST 2010
On Mon, Dec 13, 2010 at 02:06:12PM +0100, Samuel Thibault wrote:
> > >But, the world writable bit can be seen as a big security issue right
> > >now, right? It would be good to get that fixed, or at the very least,
> > >narrowed down a lot right now.
Can't you just monitor for keyboard activity alone, as when
you're in a terminal console, operating the system remotely, you don't
need to issue commands to SpeakUP? Only at the local keyboard?
Maybe it's too complicated because of the kernel or what-not. I
don't know. I just figure that if it's not coming from /dev/Stty#, then
the command should be allowed, or only allowed if the commands are being
issued by a logged in user at the console, unless it's a major security
risk to have the cat accidently pressing a SpeakUp key combo. If you
trust a person on your system enough to give them a user account, then
it stands reasonable that you alsod trust them enough not to F with /sys
and speakupconf without knowing what they're doing
Michael
More information about the Speakup
mailing list