Re: So much for Skype.
On 05/22/2011 11:22 PM, Dotan Cohen wrote:
On Mon, May 23, 2011 at 06:29, Ron Johnson<ron.l.johnson@cox.net> wrote:
I was thinking of setuid() magic.
Again an OS issue,
Insofar as the OS provides the feature.
not a Skype issue.
Yet, *if* Skype uses the function it's because Skype's programmers
programmed Skype to use the function.
I agree that since root must
install Skype, and since root then owns Skype, the application might
setuid. But this is an OS feature, not a Skype feature. How is this
not a concern with any other closed-source application that one must
install? I could understand derailing the thread into a closed-source
vs. open-source debate, which while very productive would not address
the issue at hand.
It's a concern with *all* programs that need to stray from your little
protected zone.
For that matter, though, I do agree that setuid is a security risk and
not well mitigated. Maybe the issue needs to be dealt with already:
how would you suggest changing the kernel behaviour to mitigate the
risk? A warning or log entry each time an application uses setuid? At
install, at runtime, or both? Something else?
--
"Neither the wisest constitution nor the wisest laws will secure
the liberty and happiness of a people whose manners are universally
corrupt."
Samuel Adams, essay in The Public Advertiser, 1749
Reply to: