[vorbis-dev] Ports

Kenneth C. Arnold kcarnold at arnoldnet.net
Sun Dec 31 14:24:08 PST 2000


According to Monty (sometime around Sun, Dec 31, 2000 at 11:56:57AM -0800):
> > DON'T MAKE OGG123 SUID!
> > 
> > Instead greate an "audio" group with write permissions on
> > /dev/dsp and add all users who should be able to play audio to
> > this group (and don't forget to logout/login after that).
> 
> This addresses the issue of the audio devices, but is there a similar
> non-root strategy for access to the realtime scheduler (Linux)?

That was one I hadn't thought of ...

libao needs to drop privilages before opening anything that isn't a
device, and make sure that any device is actually a device. Though
ogg123 may never need it (though I think it may eventually), libao is
a library so that other projects can use it. You wouldn't want to be
found responsible for a local-r00t at a big company, would you? The
hacker is only one side of the problem; insecure code is the other.


-- 
Kenneth Arnold <ken at arnoldnet.net> / kcarnold / Linux user #180115
http://arnoldnet.net/~kcarnold/



<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: part
Type: application/octet-stream
Size: 233 bytes
Desc: not available
Url : http://lists.xiph.org/pipermail/vorbis-dev/attachments/20001231/5813c245/part-0001.obj


More information about the Vorbis-dev mailing list