Re: xastir question... suid root?
On Fri, Jun 07, 2002 at 08:30:48PM +1000, Hamish Moffatt wrote:
> On Fri, Jun 07, 2002 at 12:46:54AM +0200, Gali Drudis i Sole wrote:
> > Should Xastir not be suid root anyway if the soundmodem driver is to
> > be used? I guess this is a much more serious problem. Do you know any
> > way to circumvent it? I do have to use the soundcard as for the moment
> > I have nothing better (I'm also a newbie at packet/APRS).
>
> Why does it need to be suid root to use the soundmodem?
>
> /usr/bin/call is not suid root but it can make connections.
>
> regards
> Hamish
> --
> Hamish Moffatt VK3SB <hamish@debian.org> <hamish@cloud.net.au>
>
README.1ST discusses this (without really saying why), along with an
alternative (Note: this is from the CVS version, not the Debian
package, which may read differently):
LINUX-SPECIFIC SECURITY WARNING: If you're using Linux AX.25 kernel
networking, you'll need to either make Xastir SUID-root, or use a shim
(which itself is set to SUID-root) between Xastir and the AX.25 ports.
See Option #2 below for the (possibly safer) shim method. If you're the
paranoid type (and you should be if you're running a system with multiple
users), you may wish to skip SUID-root mode/kernel AX.25 interfaces and
use standard serial port TNC interfaces instead. Any program is safer if
run as a normal user (not safe, but safer). It is currently impossible
to use kernel-mode AX.25 interfaces without the program running with
root privileges.
Option 2)
A more security-conscious option is to use a shim program written by
Henk de Groot, PE1DNN. This program runs in SUID-root mode but is
much smaller and so is easier to audit for security, and provides a
new port that Xastir can connect to. The new port can be read/written
without having to be the root user. The program is called aprs_tty
and can be obtained here:
ftp://ftp.eskimo.com/u/a/archer/aprs/xastir/aprs_tty.0.0.2.tgz
It actually responds to some TNC commands. The code is straight forward
and works well. Run the program, telling it what port to use, and then
in XASTIR set up the TNC to point to the new TTY at 19200. It
transmits/receives UI frames, and sets the correct unproto path. In
this case DO NOT perform the chmod 4555 command on the Xastir executable.
Note again that the same SUID-root warnings that were giving in option
#1 above also apply to aprs_tty. Buyer beware! As far as we know,
aprs_tty has not been audited for security, and makes no effort to drop
extra privileges. Use this in a multi-user environment at your own risk!
73,
Bob, N7XY
----
Bob Nielsen, N7XY nielsen@oz.net
Bainbridge Island, WA http://www.oz.net/~nielsen
IOTA NA-065, USI WA-028S
--
To UNSUBSCRIBE, email to debian-hams-request@lists.debian.org
with a subject of "unsubscribe". Troble? Contact listmaster@lists.debian.org
Reply to: