On 05/27/2010 12:57 AM, Daniel Kahn Gillmor wrote: > To get to act as an AP, i had to copy /usr/bin/uaputl from another > guruplug. It seems to work fine. If no one has gotten the code from > marvell, i'll look into replacing uaputl -- it doesn't look too complex. WARNING! testing uaputl tonight, i realized that i could run it as a completely non-privileged user, and it would have full control over the wireless device. my non-priv user can not only to read the security keys, etc, but to do things like start and stop the broadcast beacon, change the ssid, etc. This suggests the complete lack of a security model in the libertas_uap module supplied by marvell, uap8xxx.ko. I have not yet reviewed what other internal kernel operations might be accessible from the ioctl interface exported by uap8xxx.ko. Please be aware that using this kernel module on a sensitive system means at least that local non-privileged users will be able to modify wireless settings, and possibly do other things that only root should probably be able to do. I'd appreciate verification of this from someone who is still running the factory-installed kernel, by the way. The libertas_uap code needs a security audit by someone with kernel module development skills. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature