[PD] Pd-0.39.2-extended-rc4 released on ubuntu

Hans-Christoph Steiner hans at eds.org
Fri Jul 13 04:40:49 CEST 2007 

On Jul 12, 2007, at 6:52 PM, Frank Barknecht wrote:

> Hallo,
> Hans-Christoph Steiner hat gesagt: // Hans-Christoph Steiner wrote:
>
>> On Jul 12, 2007, at 3:18 PM, Mathieu Bouchard wrote:
>>
>>> Last year I demonstrated that it is possible to make a very small
>>> external that gives root access to the whole pd process. This
>>> vulnerability only affects Miller's pd, including pd-0.41-0test04
>>> (which is the absolute latest). I have fixed that problem during
>>> devel_0_39 and carried it into the desiredata branch.
>>>
>>> This problem is largely theoretical so far, as it requires an
>>> external to play with the setuid/seteuid commands. I can't think of
>>> any external that does that, except the small test that I made for
>>> the purpose of verifying my claim.
>>>
>>> I haven't looked much for other possible breaches of root access.
>>
>> This is only possible if you are running Pd as root, which is general
>> is not a good idea.  If Pd is running as a different user, then you
>> wouldn't be able to gain root access.
>
> Matju can comment better, but AFAIR in my tests his external also
> worked with a setuid root Pd started as a normal user. You can check
> this with the code, it's somewhere in the bug tracker.
>
> Anyways, making /usr/bin/pd setuid is not necessary anyway, as I wrote
> in another mail.

"setuid root" means that the process will always run as root, no  
matter who starts it.  So it's the same as running pd as root.

.hc

>
> Ciao
> -- 
>  Frank Barknecht                 _ ______footils.org_ __goto10.org__
>
> _______________________________________________
> PD-list at iem.at mailing list
> UNSUBSCRIBE and account-management -> http://lists.puredata.info/ 
> listinfo/pd-list



------------------------------------------------------------------------ 
----

I have the audacity to believe that peoples everywhere can have three  
meals a day for their bodies, education and culture for their minds,  
and dignity, equality and freedom for their spirits.      - Martin  
Luther King, Jr.

More information about the Pd-list mailing list