Re: xastir question... suid root?

To: debian-hams@lists.debian.org
Subject: Re: xastir question... suid root?
From: Bob Nielsen <nielsen@oz.net>
Date: Fri, 7 Jun 2002 09:04:55 -0700
Message-id: <[🔎] 20020607160455.GA840@oz.net>
Mail-followup-to: debian-hams@lists.debian.org
In-reply-to: <[🔎] 20020607103048.GC1194@silly.cloud.net.au>
References: <[🔎] 20020605060223.GA22288@grantbow.com> <[🔎] 20020605102724.GB1222@silly.cloud.net.au> <[🔎] 20020607004654.A563@gali.drudis.ct> <[🔎] 20020607103048.GC1194@silly.cloud.net.au>

On Fri, Jun 07, 2002 at 08:30:48PM +1000, Hamish Moffatt wrote:
> On Fri, Jun 07, 2002 at 12:46:54AM +0200, Gali Drudis i Sole wrote:
> > Should Xastir not be suid root anyway if the soundmodem driver is to
> > be used? I guess this is a much more serious problem. Do you know any
> > way to circumvent it? I do have to use the soundcard as for the moment
> > I have nothing better (I'm also a newbie at packet/APRS).
> 
> Why does it need to be suid root to use the soundmodem?
> 
> /usr/bin/call is not suid root but it can make connections.
> 
> regards
> Hamish
> -- 
> Hamish Moffatt VK3SB <hamish@debian.org> <hamish@cloud.net.au>
> 

README.1ST discusses this (without really saying why), along with an
alternative (Note: this is from the CVS version, not the Debian
package, which may read differently):

     LINUX-SPECIFIC SECURITY WARNING:  If you're using Linux AX.25 kernel
     networking, you'll need to either make Xastir SUID-root, or use a shim
     (which itself is set to SUID-root) between Xastir and the AX.25 ports.
     See Option #2 below for the (possibly safer) shim method.  If you're the
     paranoid type (and you should be if you're running a system with multiple
     users), you may wish to skip SUID-root mode/kernel AX.25 interfaces and
     use standard serial port TNC interfaces instead.  Any program is safer if
     run as a normal user (not safe, but safer).  It is currently impossible
     to use kernel-mode AX.25 interfaces without the program running with
     root privileges.

     Option 2)
     A more security-conscious option is to use a shim program written by
     Henk de Groot, PE1DNN.  This program runs in SUID-root mode but is
     much smaller and so is easier to audit for security, and provides a
     new port that Xastir can connect to.  The new port can be read/written
     without having to be the root user.  The program is called aprs_tty
     and can be obtained here:

     ftp://ftp.eskimo.com/u/a/archer/aprs/xastir/aprs_tty.0.0.2.tgz

     It actually responds to some TNC commands. The code is straight forward
     and works well.  Run the program, telling it what port to use, and then
     in XASTIR set up the TNC to point to the new TTY at 19200. It
     transmits/receives UI frames, and sets the correct unproto path.  In
     this case DO NOT perform the chmod 4555 command on the Xastir executable.

     Note again that the same SUID-root warnings that were giving in option
     #1 above also apply to aprs_tty.  Buyer beware!  As far as we know,
     aprs_tty has not been audited for security, and makes no effort to drop
     extra privileges. Use this in a multi-user environment at your own risk!

73,
Bob, N7XY

----
Bob Nielsen, N7XY                          nielsen@oz.net
Bainbridge Island, WA                      http://www.oz.net/~nielsen
IOTA NA-065, USI WA-028S 


-- 
To UNSUBSCRIBE, email to debian-hams-request@lists.debian.org
with a subject of "unsubscribe". Troble? Contact listmaster@lists.debian.org

Reply to:

References:
- xastir question
  - From: Grant Bowman <grantbow@grantbow.com>
- Re: xastir question
  - From: Hamish Moffatt <hamish@debian.org>
- Re: xastir question... suid root?
  - From: Gali Drudis i Sole <gali@klingon.uab.es>
- Re: xastir question... suid root?
  - From: Hamish Moffatt <hamish@debian.org>

Prev by Date: Re: xastir question... suid root?
Next by Date: debinham floppy
Previous by thread: Re: xastir question... suid root?
Next by thread: Re: xastir question
Index(es):
- Date
- Thread