running speech-dispatcher as non-root using setuid on XO and accompanying security issues
Hemant Goyal
goyal.hemant at gmail.com
Thu Jul 17 07:51:57 EDT 2008
Hi James,
> It is like putting a hole through a city wall into a house which is
> built against the wall, and then telling the city guards to stand
> outside the house as well as the city gate.
>
> Practical, very handy, but extends the safety barrier to include the
> setuid program code.
>
> It means the city guards need to trust the owner of the house. Because
> the house is a new attack vector. The walls of the house might be
> thinner than the city walls.
>
> It means the code that is running setuid has to be trusted. Because
> this new code is a new attack vector ... if it can be asked to open or
> write files, then it can attack a filesystem.
>
Thanks for elaborating the problem in such simple words :). So we can
never tell what just might happen in case some nasty piece of codes
runs through the speech-dispatcher binary... Can't we test and sign
the binaries or something like that? I agree it will add to the burden
of carefully testing speech-dispatcher every time we use an updated
binary however.
> I recall earlier discussion about it or something else. Is there a way to
> rewrite it to not require root? Almost every other activity does not
> require root, or obtains it through a carefully controlled mechanism via
> the kernel.
Well sugar-control-panel is what runs as non-root and which would
modify the speech-dispatcher configuration files. Since I got the
setuid idea I have relocated the configuration files of
speech-dispatcher to /home/olpc/.speechd from /etc/speech-dispatcher.
> Can you tell me what syscall fails if it is not root? strace may be
> helpful.
[hemant at dhcppc0 devel]$ /usr/bin/speech-dispatcher
Can't create pid file in /var/run/speech-dispatcher.pid, wrong permissions?
===================================================================================================================
Strace Output:
open("/var/run/speech-dispatcher.pid", O_RDONLY) = 3
fcntl64(3, F_GETLK, {type=F_UNLCK, whence=SEEK_SET, start=1, len=3, pid=1}) = 0
close(3) = 0
unlink("/var/run/speech-dispatcher.pid") = -1 EACCES (Permission denied)
open("/var/run/speech-dispatcher.pid", O_WRONLY|O_CREAT|O_TRUNC, 0666)
= -1 EACCES (Permission denied)
write(2, "Can\'t create pid file in /var/ru"..., 76Can't create pid
file in /var/run/speech-dispatcher.pid, wrong permissions?
===================================================================================================================
So I guess it s not able to write a PID file.
Next I tried to relocate where the PID file is written as follows:
[hemant at dhcppc0 devel]$ /usr/bin/speech-dispatcher -P /home/hemant/speechd.pid
Now it gets stuck at other locations. Its not able to open a
connection with ALSA and create a log file in/var/log/speechd.log.
======================================================================================================================
Error: can't open logging file /var/log//speechd.log! Using stdout.
-(I can fix this error since its under my control through the RPM
package)
ALSA lib pcm_dmix.c:831:(snd_pcm_dmix_open) unable to create IPC semaphore
Thu Jul 17 17:10:26 2008 [648100] ALSA ERROR: Cannot open audio
device default (Permission denied)
Thu Jul 17 17:10:26 2008 [648175] ALSA ERROR: Cannot initialize Alsa
device 'default': Can't open.
======================================================================================================================
The corresponding strace outputs are :
======================================================================================================================
open("/var/log//speechd.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1
EACCES (Permission denied)
open("/var/log//espeak.log", O_WRONLY|O_CREAT|O_TRUNC, 0600) = -1
EACCES (Permission denied)
======================================================================================================================
Thanks for the prompt reply :)
Best,
Hemant
More information about the Devel
mailing list