[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: pmud and gkrellm on tcp???

> > Short of recompiling with the port 879 bind/listen disabled? No. And I
> > don't think this is required. I'm in no mood to summarize the argument on
> > that point again - pmud is only accessible to the local user, and it
> > _should_ be accessible to the local user. If you can't trust the local
> > user not to put your machine to sleep (that's all they can do), tough
> > luck. 
> well... personally i would not want all users to be able to put my
> machine to sleep, remember that local user != console user.  

For a laptop machine? If you have a Powerbook permanently hooked up to the
network and dozens of users logged in, chances are it's on AC power and
you won't need pmud. Don't run it, then. 
> in this case a unix domain socket might be a nicer way to go since you
> can change the permissions to only allow a certain group access.  

Yeah, that would be the only benefit I can see, and Unix' permissions
model is too weak to bother. 
> being able to restrict access to only the most trusted of users also
> reduces risks of potential security holes that could be found.  (i
> assume pmud runs as root?) 

The commands read from the TCP port are read into a fixed buffer, using a
fixed size, and copied to malloces storage later. Can't see a buffer
overflow there ... anything else you're concerned about? 

> > BTW: pmud listening to commands (like 'sleep' or 'power') on a socket is a
> > feature, not a bug. The benefits of this feature outweigh the potential
> > risk for typical laptop computer use. 
> yes i agree with this, but i think a unix domain socket would probably
> be a better choice in this case.  the localhost only port is not that
> bad but is simply not as flexible.  

I think it's a red herring. And I'm not the maintainer of pmud anyway, I
just package pmud. Please take your concerns to Stephan. 


Reply to: