artswrapper defanged
Neil Stevens
neil at qualityassistant.com
Fri Jul 12 12:43:19 BST 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday July 12, 2002 12:55, Dirk Mueller wrote:
> On Don, 11 Jul 2002, Neil Stevens wrote:
> > > of service vulnerability is fixed.
> >
> > It's not a vulnerability, it's an intentional feature.
>
> But its implementation is flawed. IMHO artswrapper should ONLY execute
> artsd, not an arbitary command like it is now.
>
> As a normal user I can do artswrapper -a somethingthatuses100percentcpu
> and the system is dead, that means there is no chance to change anything
> or kill the process.
Two possibilities:
1. We trust our users
2. We don't trust our users
In the first case, it doesn't matter what the user runs with artswrapper,
because he's a good trustworthy individual. This is the common case of a
single-user home desktop.
In the second case, we won't even trust him to run artsd with artswrapper,
because nothing prevents him from firing up 200 mpeglibartsplays.
So there is really no gain in attempting to getting paranoid here. No sane
multi-untrusted-user system will ever have artswrapper suid, no matter
what restrictions are put on it.
- --
Neil Stevens - neil at qualityassistant.com
"I always cheer up immensely if an attack is particularly wounding
because I think, well, if they attack one personally, it means they
have not a single political argument left." - Margaret Thatcher
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9LsDXf7mnligQOmERAjEXAKCZf+qeRYgOTmXdxX92vsPor2COhACePczZ
AsONaGoiWIBzd16IB5iuVUg=
=SAaW
-----END PGP SIGNATURE-----
More information about the kde-multimedia
mailing list