[PD] setuid WAS Re: Pd-0.39.2-extended-rc4 released on ubuntu
Hans-Christoph Steiner
hans at eds.org
Sat Jul 14 21:05:13 CEST 2007
Oh, is this already fixed in more recent versions? I don't need to
include in this release.
.hc
On Jul 14, 2007, at 1:49 PM, Miller Puckette wrote:
> Hi Hans,
>
> In general, I've held off fixing bugs in 0.39 for fear of introducing
> new problems, especially since you've been working for so long to get
> Pd extended out. But this one is special since it's a security leak,
> so I'm inclined to fix it. If past experience is any guide, I'll make
> a mistake in a CVS commit and wreak havoc that will take days to clear
> up. Well, maybe not, who knows.
>
> I'm hoping it will prove easy enough to plug 0.40 into the extended
> release mechanism that for non-security bug fixes, it will suffice for
> me to fix them in 0.40 and wait for the march of time to propagate the
> fix. For instance, once I find the open-GOP-close-patch bug, I can
> fix that both in 0.40 and "latest" but leave 0.39 alone.
>
> Unless there's reason not to, I'll take the single offending 'e'
> character
> out of 0.39, "tag" it 0.39-3, and commit... ?
>
> cheers
> Miller
>
>
>
> On Sat, Jul 14, 2007 at 12:33:25PM -0400, Hans-Christoph Steiner
> wrote:
>>
>> On Jul 13, 2007, at 3:36 PM, Mathieu Bouchard wrote:
>>
>>> On Thu, 12 Jul 2007, Hans-Christoph Steiner wrote:
>>>> This is only possible if you are running Pd as root, which is
>>>> general is not a good idea. If Pd is running as a different user,
>>>> then you wouldn't be able to gain root access.
>>>
>>> We are *only* talking about setuid (chmod +s) and not starting pd
>>> from a root login.
>>>
>>> If pd is running as user "eighthave" but with setuid "root", pd is
>>> dropping priviledges to be effectively just "eighthave", but does
>>> it the wrong way, causing it to be able to regain effective "root"
>>> later.
>>>
>>> I reported this bug last november:
>>>
>>> http://lists.puredata.info/pipermail/pd-dev/2006-11/007910.html
>>>
>>> I have fixed that bug in devel_0_39 on 2006.11.23.
>>
>> Sorry, I didn't see the part that it was just related to setuid.
>>
>> It would be very nice to have this bug fix as a patch in the tracker
>> so that it can be included in pd-vanilla and pd-extended.
>>
>> .hc
>>
>>
>>>
>>> _ _ __ ___ _____ ________ _____________ _____________________ ...
>>> | Mathieu Bouchard - t?l:+1.514.383.3801, Montr?al QC Canada
>>
>>
>> ---------------------------------------------------------------------
>> ---
>> ----
>>
>> Access to computers should be unlimited and total. - the hacker
>> ethic
>>
>>
>>
>> _______________________________________________
>> PD-list at iem.at mailing list
>> UNSUBSCRIBE and account-management -> http://lists.puredata.info/
>> listinfo/pd-list
------------------------------------------------------------------------
----
¡El pueblo unido jamás será vencido!
More information about the Pd-list
mailing list