[PD] setuid WAS Re: Pd-0.39.2-extended-rc4 released on ubuntu
mpuckett at imusic1.ucsd.edu
Sat Jul 14 19:49:06 CEST 2007
In general, I've held off fixing bugs in 0.39 for fear of introducing
new problems, especially since you've been working for so long to get
Pd extended out. But this one is special since it's a security leak,
so I'm inclined to fix it. If past experience is any guide, I'll make
a mistake in a CVS commit and wreak havoc that will take days to clear
up. Well, maybe not, who knows.
I'm hoping it will prove easy enough to plug 0.40 into the extended
release mechanism that for non-security bug fixes, it will suffice for
me to fix them in 0.40 and wait for the march of time to propagate the
fix. For instance, once I find the open-GOP-close-patch bug, I can
fix that both in 0.40 and "latest" but leave 0.39 alone.
Unless there's reason not to, I'll take the single offending 'e' character
out of 0.39, "tag" it 0.39-3, and commit... ?
On Sat, Jul 14, 2007 at 12:33:25PM -0400, Hans-Christoph Steiner wrote:
> On Jul 13, 2007, at 3:36 PM, Mathieu Bouchard wrote:
> > On Thu, 12 Jul 2007, Hans-Christoph Steiner wrote:
> >> This is only possible if you are running Pd as root, which is
> >> general is not a good idea. If Pd is running as a different user,
> >> then you wouldn't be able to gain root access.
> > We are *only* talking about setuid (chmod +s) and not starting pd
> > from a root login.
> > If pd is running as user "eighthave" but with setuid "root", pd is
> > dropping priviledges to be effectively just "eighthave", but does
> > it the wrong way, causing it to be able to regain effective "root"
> > later.
> > I reported this bug last november:
> > http://lists.puredata.info/pipermail/pd-dev/2006-11/007910.html
> > I have fixed that bug in devel_0_39 on 2006.11.23.
> Sorry, I didn't see the part that it was just related to setuid.
> It would be very nice to have this bug fix as a patch in the tracker
> so that it can be included in pd-vanilla and pd-extended.
> > _ _ __ ___ _____ ________ _____________ _____________________ ...
> > | Mathieu Bouchard - t?l:+1.514.383.3801, Montr?al QC Canada
> Access to computers should be unlimited and total. - the hacker ethic
> PD-list at iem.at mailing list
> UNSUBSCRIBE and account-management -> http://lists.puredata.info/listinfo/pd-list
More information about the Pd-list