changes in esound CVS (security and multiple recording)
- From: Stanislav Brabec <utx penguin cz>
- To: gnome-hackers gnome org
- Subject: changes in esound CVS (security and multiple recording)
- Date: Wed, 29 Nov 2000 22:22:52 +0100
New release of esound is planned early.
Some changes was done in CVS code from last version:
- Esound now supports multiple recording clients.
- Esound security improved.
Please check the latest CVS version before its release.
Testers are welcome.
I plan to add AM_ESD_SUPPORTS_MULTIPLE_RECORD version check to esd.m4
before release.
There are security problems of old esound. 1, 2 and 3 should be fixed
just now, 4 still remains.
1) Race condition exploit, any user:
for(;;;){rmdir("/tmp/.esd");symlink("/etc/passwd","/tmp/.esd");}
I have not actually tested it, but I expect non-zero probability of success.
2) Standard condition exploit, non-root user only:
Suppose there is file /path/xxx with permissions r--------, owned by esd launcher.
ln -s /path/xxx /tmp/.esd
Now wait for user starts esound. Wow, now /path/xxx is rwxrwxrwx!!!
3) rm -r /tmp/.esd/* can be done by any user. If I do mkdir/tmp/.esd ;
chmod o+wx /tmp/.esd before anybody starts esd, esd doesn't check
permissions of socket. Possible exploits are only "access to forein
sound".
4) Dedicating a shell account on machine with esd and microphone also means
dedicating of "room listening account".
Example: Suppose dedicated account "generic"
su -c esd
su generic -c esdrec sounds_in_room
(looking though strace data are really read wia esd)
-- 
Stanislav Brabec
[
Date Prev][
Date Next]   [
Thread Prev][
Thread Next]   
[
Thread Index]
[
Date Index]
[
Author Index]