artswrapper's new braces (Re: artswrapper defanged)
Kevin Puetz
puetzk at iastate.edu
Thu Aug 8 04:28:55 BST 2002
OK, after an IRC discussion between Phalanx, SadEagle and myself, we settled
on the following solution for realtime privs (among ourselves).
artswrapper/artsd maintain the same relationship as before, realtime is
default off but available.
artsd's existing overload detector will be expected to trap 'accidental' hangs
in trusted modules.
arts will drop RT permissions entirely if an untrusted module is loaded,
*before* executing *any* code from this module.
after some further discussion, we settled in the following definition of a
trusted module: anything represented by a .la file owned by root.
It was also proposed that the definition be 'writeable by at most root'
instead of 'owned by root', but as the latter definition is the one applied
to SUID executables, it seems the most consistent with general unix
permissions.
How's this look for a solution? The following patch (off-the-cuff) implements
the proposal, and reverts rikkus's unconditional disabling of realtime
priority.
There is a (very) slight race in the checking of the permissions on the
file... however, since the permission being looked for is ownership by root,
the only user who could make anything of it is root. Since root had the right
to make the module trusted anyway, this gains no elevation of priveledge.
The other issue in question is that of a root-owned .la file pointing to
untrusted code. Since an ordinary user cannot create this exploit, and it
should not exist in any default installation (the .la files and shared
objects are created and installed at the same time, by the same user, with
the same permissions) we did not feel this was an issue. The only scenario in
which it could occur is the 'blessing' of a user .la file by root to allow
artsd to run that module with RT, which we view as a deliberate and explicit
act of trust.
One remaining issue is whether or not we should attempt to inform the user
when priority is dropped that this has occurred, and how to do so
(artsmessage? just something on stderr?). Any thoughts on this subject are
welcome.
Aftre I've actually tested this fix to ensure it does what I intended it to,
if feedback is positive, I will commit.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: arts-realtime-fix.patch
Type: text/x-diff
Size: 4187 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20020807/d18b00dc/attachment.patch>
More information about the kde-core-devel
mailing list