running speech-dispatcher as non-root using setuid on XO and accompanying security issues
James Cameron
quozl at laptop.org
Thu Jul 17 07:15:01 EDT 2008
On Thu, Jul 17, 2008 at 04:04:05PM +0530, Hemant Goyal wrote:
> However, I would like to ask whether using setuid is advisable in the
> OLPC laptop from a security point of view?
It is like putting a hole through a city wall into a house which is
built against the wall, and then telling the city guards to stand
outside the house as well as the city gate.
Practical, very handy, but extends the safety barrier to include the
setuid program code.
It means the city guards need to trust the owner of the house. Because
the house is a new attack vector. The walls of the house might be
thinner than the city walls.
It means the code that is running setuid has to be trusted. Because
this new code is a new attack vector ... if it can be asked to open or
write files, then it can attack a filesystem.
I cannot comment on the relative importance of the OLPC security model
and the speech-dispatcher needs. I imagine that would depend on a
deployment. But I worry about hundreds of thousands of systems that
might be infected via this setuid program, if it turns out to contain a
flaw.
I recall earlier discussion about it or something else. Is there a way to
rewrite it to not require root? Almost every other activity does not
require root, or obtains it through a carefully controlled mechanism via
the kernel.
Can you tell me what syscall fails if it is not root? strace may be
helpful.
--
James Cameron mailto:quozl at us.netrek.org http://quozl.netrek.org/
More information about the Devel
mailing list