* [gentoo-dev] New local use flag for arts: artswrappersuid @ 2003-05-16 22:43 Dan Armak 2003-05-16 23:18 ` Martin Schlemmer 0 siblings, 1 reply; 8+ messages in thread From: Dan Armak @ 2003-05-16 22:43 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: signed data --] [-- Type: text/plain, Size: 411 bytes --] Hello everyone, I'm adding a new local use flag for kde-base/arts: artswrappersuid. It sets artswrapper suid root, which allows artsd (kde's sound server) to run with realtime priority and avoid skips and clicks, but it's a security hazard, so it's off by default. -- Dan Armak Gentoo Linux developer (KDE) Matan, Israel Public GPG key: http://cvs.gentoo.org/~danarmak/danarmak-gpg-public.key [-- Attachment #2: signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] New local use flag for arts: artswrappersuid 2003-05-16 22:43 [gentoo-dev] New local use flag for arts: artswrappersuid Dan Armak @ 2003-05-16 23:18 ` Martin Schlemmer 2003-05-17 7:48 ` Dan Armak 0 siblings, 1 reply; 8+ messages in thread From: Martin Schlemmer @ 2003-05-16 23:18 UTC (permalink / raw To: Dan Armak; +Cc: Gentoo-Dev [-- Attachment #1: Type: text/plain, Size: 616 bytes --] On Sat, 2003-05-17 at 00:43, Dan Armak wrote: > Hello everyone, > > I'm adding a new local use flag for kde-base/arts: artswrappersuid. It sets > artswrapper suid root, which allows artsd (kde's sound server) to run with > realtime priority and avoid skips and clicks, but it's a security hazard, so > it's off by default. Dan, isn't this something that the admin should set for himself ? I mean, just adding a USE flag for that, even when local do sound a bit excessive .... Cheers, -- Martin Schlemmer Gentoo Linux Developer, Desktop/System Team Developer Cape Town, South Africa [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] New local use flag for arts: artswrappersuid 2003-05-16 23:18 ` Martin Schlemmer @ 2003-05-17 7:48 ` Dan Armak 2003-05-17 13:48 ` Grant Goodyear 0 siblings, 1 reply; 8+ messages in thread From: Dan Armak @ 2003-05-17 7:48 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: signed data --] [-- Type: text/plain, Size: 1135 bytes --] On Saturday 17 May 2003 02:18, Martin Schlemmer wrote: > On Sat, 2003-05-17 at 00:43, Dan Armak wrote: > > Hello everyone, > > > > I'm adding a new local use flag for kde-base/arts: artswrappersuid. It > > sets artswrapper suid root, which allows artsd (kde's sound server) to > > run with realtime priority and avoid skips and clicks, but it's a > > security hazard, so it's off by default. > > Dan, isn't this something that the admin should set for himself ? > I mean, just adding a USE flag for that, even when local do sound > a bit excessive .... Well, isn't whoever emerges KDE (and thus has root perms) the admin of the box? So now he can do USE=artswrappersuid instead of running chmod +s manually. The important difference is that you can set the use flag once in make.conf and forget about it. In my experience, after emerging a new kde I usually forget to do the chmod manually, start the new kde, get a warning about no realtime permissions, chmod and restart. -- Dan Armak Gentoo Linux developer (KDE) Matan, Israel Public GPG key: http://cvs.gentoo.org/~danarmak/danarmak-gpg-public.key [-- Attachment #2: signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] New local use flag for arts: artswrappersuid 2003-05-17 7:48 ` Dan Armak @ 2003-05-17 13:48 ` Grant Goodyear 2003-05-17 16:50 ` Martin Schlemmer 2003-05-20 9:27 ` Václav Hůla 0 siblings, 2 replies; 8+ messages in thread From: Grant Goodyear @ 2003-05-17 13:48 UTC (permalink / raw To: Dan Armak; +Cc: gentoo-dev > > > I'm adding a new local use flag for kde-base/arts: artswrappersuid. It > > > sets artswrapper suid root, which allows artsd (kde's sound server) to > > > run with realtime priority and avoid skips and clicks, but it's a > > > security hazard, so it's off by default. If we're going to go the USE flag route, how about a generic "suid" flag, then, instead of a local USE flag. I know this issue either can or does occur for more than one package. -- Grant Goodyear The Secrets of Physics: Dept. of Chemistry 1. Add zero. Clemson University 2. Multiply by one. Clemson, SC 29617 3. Expand in a Taylor series (864) 656-7702 4. Integrate by parts. e-mail: grant@grantgoodyear.org 5. Fourier transform. -- gentoo-dev@gentoo.org mailing list ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] New local use flag for arts: artswrappersuid 2003-05-17 13:48 ` Grant Goodyear @ 2003-05-17 16:50 ` Martin Schlemmer 2003-05-17 18:49 ` Dan Armak 2003-05-20 9:27 ` Václav Hůla 1 sibling, 1 reply; 8+ messages in thread From: Martin Schlemmer @ 2003-05-17 16:50 UTC (permalink / raw To: goodyea; +Cc: Dan Armak, Gentoo-Dev [-- Attachment #1: Type: text/plain, Size: 760 bytes --] On Sat, 2003-05-17 at 15:48, Grant Goodyear wrote: > > > > I'm adding a new local use flag for kde-base/arts: artswrappersuid. It > > > > sets artswrapper suid root, which allows artsd (kde's sound server) to > > > > run with realtime priority and avoid skips and clicks, but it's a > > > > security hazard, so it's off by default. > > If we're going to go the USE flag route, how about a generic "suid" > flag, then, instead of a local USE flag. I know this issue either > can or does occur for more than one package. Does make sense, as adding support for one package will bring request for the others we do not suid by default. -- Martin Schlemmer Gentoo Linux Developer, Desktop/System Team Developer Cape Town, South Africa [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] New local use flag for arts: artswrappersuid 2003-05-17 16:50 ` Martin Schlemmer @ 2003-05-17 18:49 ` Dan Armak 2003-05-17 19:47 ` torbenh 0 siblings, 1 reply; 8+ messages in thread From: Dan Armak @ 2003-05-17 18:49 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: signed data --] [-- Type: text/plain, Size: 1510 bytes --] On Saturday 17 May 2003 19:50, Martin Schlemmer wrote: > On Sat, 2003-05-17 at 15:48, Grant Goodyear wrote: > > > > > I'm adding a new local use flag for kde-base/arts: artswrappersuid. > > > > > It sets artswrapper suid root, which allows artsd (kde's sound > > > > > server) to run with realtime priority and avoid skips and clicks, > > > > > but it's a security hazard, so it's off by default. > > > > If we're going to go the USE flag route, how about a generic "suid" > > flag, then, instead of a local USE flag. I know this issue either > > can or does occur for more than one package. > > Does make sense, as adding support for one package will bring request > for the others we do not suid by default. Well, security isn't my home turf, so since everyone thinks a global flag is OK, I won't object :-) (Spider already replied to me privately suggesting the same thing, but then seemed to change his mind, or maybe I just misunderstood him. Anyhow, what do other people think, in particular our security people?.) Just that as I said to him, it would have to be on by default and defined as: "Turn off this flag to enable highly insecure default configurations for the sake of performance - for fully trusted environments only". That could even be a global "security" flag, not just "suid". But it's ok with me either way. Opinions? -- Dan Armak Gentoo Linux developer (KDE) Matan, Israel Public GPG key: http://cvs.gentoo.org/~danarmak/danarmak-gpg-public.key [-- Attachment #2: signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] New local use flag for arts: artswrappersuid 2003-05-17 18:49 ` Dan Armak @ 2003-05-17 19:47 ` torbenh 0 siblings, 0 replies; 8+ messages in thread From: torbenh @ 2003-05-17 19:47 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1279 bytes --] On Sat, May 17, 2003 at 09:49:32PM +0300, Dan Armak wrote: Content-Description: signed data > Well, security isn't my home turf, so since everyone thinks a global flag is > OK, I won't object :-) (Spider already replied to me privately suggesting the > same thing, but then seemed to change his mind, or maybe I just misunderstood > him. Anyhow, what do other people think, in particular our security people?.) > > Just that as I said to him, it would have to be on by default and > defined as: "Turn off this flag to enable highly insecure default > configurations for the sake of performance - for fully trusted environments > only". That could even be a global "security" flag, not just "suid". But it's > ok with me either way. Opinions? i dont like the idea of a global suid flag. an alternative would be to implement this feature with sudo and have a sudo-update script which creates an autogenerated script in a path which is scanned prior to /usr/bin... i am not sure how this script will be unmerged, but it could be ok if sudo-update added the script to /var/db/pkg/*/*/CONTENTS.... This seems a little safer to me... but much more hassle of course. -- torben Hohn http://galan.sourceforge.net -- The graphical Audio language [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] New local use flag for arts: artswrappersuid 2003-05-17 13:48 ` Grant Goodyear 2003-05-17 16:50 ` Martin Schlemmer @ 2003-05-20 9:27 ` Václav Hůla 1 sibling, 0 replies; 8+ messages in thread From: Václav Hůla @ 2003-05-20 9:27 UTC (permalink / raw To: gentoo-dev On Saturday 17 of May 2003 15:48, Grant Goodyear wrote: > > > > I'm adding a new local use flag for kde-base/arts: artswrappersuid. > > > > It sets artswrapper suid root, which allows artsd (kde's sound > > > > server) to run with realtime priority and avoid skips and clicks, but > > > > it's a security hazard, so it's off by default. > > If we're going to go the USE flag route, how about a generic "suid" > flag, then, instead of a local USE flag. I know this issue either > can or does occur for more than one package. I think that generic 'suid' flag is very bad thing (security wise), as it can bring suid programs into system without admins knowledge. Ax -- S pozdravem Vaclav Hula vaclav.hula@capitol.cz Capitol Internet Publisher, Korunovacni 6, 170 00 Prague 7, Czech Republic tel.: ++420 2 3337 1113, fax: ++420 2 3337 1112 -- gentoo-dev@gentoo.org mailing list ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2003-05-20 9:27 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2003-05-16 22:43 [gentoo-dev] New local use flag for arts: artswrappersuid Dan Armak 2003-05-16 23:18 ` Martin Schlemmer 2003-05-17 7:48 ` Dan Armak 2003-05-17 13:48 ` Grant Goodyear 2003-05-17 16:50 ` Martin Schlemmer 2003-05-17 18:49 ` Dan Armak 2003-05-17 19:47 ` torbenh 2003-05-20 9:27 ` Václav Hůla
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox