running speech-dispatcher as non-root using setuid on XO and accompanying security issues

Hemant Goyal goyal.hemant at
Thu Jul 17 07:51:57 EDT 2008

Hi James,

> It is like putting a hole through a city wall into a house which is
> built against the wall, and then telling the city guards to stand
> outside the house as well as the city gate.
> Practical, very handy, but extends the safety barrier to include the
> setuid program code.
> It means the city guards need to trust the owner of the house.  Because
> the house is a new attack vector.  The walls of the house might be
> thinner than the city walls.
> It means the code that is running setuid has to be trusted.  Because
> this new code is a new attack vector ... if it can be asked to open or
> write files, then it can attack a filesystem.

Thanks for elaborating the problem in such simple words :). So we can
never tell what just might happen in case some nasty piece of codes
runs through the speech-dispatcher binary... Can't we test and sign
the binaries or something like that? I agree it will add to the burden
of carefully testing speech-dispatcher every time we use an updated
binary however.

> I recall earlier discussion about it or something else.  Is there a way to
> rewrite it to not require root?  Almost every other activity does not
> require root, or obtains it through a carefully controlled mechanism via
> the kernel.

Well sugar-control-panel is what runs as non-root and which would
modify the speech-dispatcher configuration files. Since I got the
setuid idea I have relocated the configuration files of
speech-dispatcher to /home/olpc/.speechd from /etc/speech-dispatcher.

> Can you tell me what syscall fails if it is not root?  strace may be
> helpful.

[hemant at dhcppc0 devel]$ /usr/bin/speech-dispatcher
Can't create pid file in /var/run/, wrong permissions?

Strace Output:

open("/var/run/", O_RDONLY) = 3
fcntl64(3, F_GETLK, {type=F_UNLCK, whence=SEEK_SET, start=1, len=3, pid=1}) = 0
close(3)                                = 0
unlink("/var/run/") = -1 EACCES (Permission denied)
open("/var/run/", O_WRONLY|O_CREAT|O_TRUNC, 0666)
= -1 EACCES (Permission denied)
write(2, "Can\'t create pid file in /var/ru"..., 76Can't create pid
file in /var/run/, wrong permissions?


So I guess it s not able to write a PID file.

Next I tried to relocate where the PID file is written as follows:

[hemant at dhcppc0 devel]$  /usr/bin/speech-dispatcher -P /home/hemant/

Now it gets stuck at other locations. Its not able to open a
connection with ALSA and create a log file in/var/log/speechd.log.
Error: can't open logging file /var/log//speechd.log! Using stdout.
-(I can fix this error since its under my control through the RPM

ALSA lib pcm_dmix.c:831:(snd_pcm_dmix_open) unable to create IPC semaphore
 Thu Jul 17 17:10:26 2008 [648100] ALSA ERROR: Cannot open audio
device default (Permission denied)
 Thu Jul 17 17:10:26 2008 [648175] ALSA ERROR: Cannot initialize Alsa
device 'default': Can't open.

The corresponding strace outputs are :
open("/var/log//speechd.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1
EACCES (Permission denied)
open("/var/log//espeak.log", O_WRONLY|O_CREAT|O_TRUNC, 0600) = -1
EACCES (Permission denied)

Thanks for the prompt reply :)


More information about the Devel mailing list