[PD] Pd-0.39.2-extended-rc4 released on ubuntu
Hans-Christoph Steiner
hans at eds.org
Fri Jul 13 04:40:49 CEST 2007
On Jul 12, 2007, at 6:52 PM, Frank Barknecht wrote:
> Hallo,
> Hans-Christoph Steiner hat gesagt: // Hans-Christoph Steiner wrote:
>
>> On Jul 12, 2007, at 3:18 PM, Mathieu Bouchard wrote:
>>
>>> Last year I demonstrated that it is possible to make a very small
>>> external that gives root access to the whole pd process. This
>>> vulnerability only affects Miller's pd, including pd-0.41-0test04
>>> (which is the absolute latest). I have fixed that problem during
>>> devel_0_39 and carried it into the desiredata branch.
>>>
>>> This problem is largely theoretical so far, as it requires an
>>> external to play with the setuid/seteuid commands. I can't think of
>>> any external that does that, except the small test that I made for
>>> the purpose of verifying my claim.
>>>
>>> I haven't looked much for other possible breaches of root access.
>>
>> This is only possible if you are running Pd as root, which is general
>> is not a good idea. If Pd is running as a different user, then you
>> wouldn't be able to gain root access.
>
> Matju can comment better, but AFAIR in my tests his external also
> worked with a setuid root Pd started as a normal user. You can check
> this with the code, it's somewhere in the bug tracker.
>
> Anyways, making /usr/bin/pd setuid is not necessary anyway, as I wrote
> in another mail.
"setuid root" means that the process will always run as root, no
matter who starts it. So it's the same as running pd as root.
.hc
>
> Ciao
> --
> Frank Barknecht _ ______footils.org_ __goto10.org__
>
> _______________________________________________
> PD-list at iem.at mailing list
> UNSUBSCRIBE and account-management -> http://lists.puredata.info/
> listinfo/pd-list
------------------------------------------------------------------------
----
I have the audacity to believe that peoples everywhere can have three
meals a day for their bodies, education and culture for their minds,
and dignity, equality and freedom for their spirits. - Martin
Luther King, Jr.
More information about the Pd-list
mailing list