[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: About realtime rights
From:       Stefan Westerfeld <stefan () space ! twc ! de>
Date:       2000-07-10 11:50:16
[Download RAW message or body]

   Hi!

On Mon, Jul 10, 2000 at 08:05:46AM +0200, Matthias Hoelzer-Kluepfel wrote:
> On Fri, 7 Jul 2000, Stefan Westerfeld wrote:
> 
> > more easily accessible in the future. It enables people to do medium to low
> > latency tasks (such as gaming for instance) without dropouts. I'd like to get
> > some feedback for this. Ultimately, I think having a suid-root install as
> > default would be the best for most users. 
> > 
> > Currently, artswrapper does not install suid root as default, so most users
> > will probably never know how to use this check box.
> > 
> > RISKS:
> > ======
> > 
> > Besides the usual security risks that arise with suid-root programming, the
> > following special risks exist, due to realtime rights:
> > 
> > (1)  a realtime process can freeze the system, by going into an infinite loop
> > (2)  it can steal other peoples CPU time as the timesharing is circumvented
> > (3)  while bringing down a system with while(1) fork(); is usually possible,
> >      doing an equivalent with all these processes having realtime rights is
> > 	 much more efficient
> 
> I think you forgot the biggest risk: security. suid
> applications are evil. period. And a server being started suid
> root is _very_ evil. I don't even want to think about a suid
> server having real-time priority and accepting network
> connections. Scary.

The server will not have the root rights. The code in artswrapper acquires
realtime scheduling, drops the realtime rights, and then calls artsd. So
the only code you have to audit are the few lines of C code in artswrapper,
the daemon itself will run as user (and its good it does ;).

> One thing I wondered about for some time: is it really
> necessary to run the server for the user? Couldn't there be
> just one server running as root, and the user gets an
> authentication token when he logs in, just like the X-server
> does it? That way, it would not have to be suid root, and it
> would not have to be started when the user logs in? Does artsd
> already support this?

No and it probably never will.  You seriously don't want a server with
dynamically loaded components run as root all the time. For instance, if you
have a component which captures the current audio stream and saves it to a
file, a user could use this component and save the result to "/etc/passwd"
or whatever. You don't want to audit look at all of arts plus any (maybe
third party) components for these issues.

   Cu... Stefan
-- 
  -* Stefan Westerfeld, stefan@space.twc.de (PGP!), Hamburg/Germany
     KDE Developer, project infos at http://space.twc.de/~stefan/kde *-         

[prev in list] [next in list] [prev in thread] [next in thread]