[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: pmud and gkrellm on tcp???



Yes, pmud is insecure... but it only allows connections from the
localhost. Now that don't mean a thing, as someone - not the console
user - can login and have the machine sleep. There are however more
security implications in pmud. For example, there is some crude checking
on the ownership and permissions of pwrctl but not of pwrctl-local! so
if someone manages to write a pwrctl-local and have it executed (or
perhaps something that's being called from pwrctl/pwrctl-local) he/she
can have a setuid shell or something...

And yes, if you do not need pmud, then don't run it. It's a very simple
and very effective, in fact the mantra of those security-minded should
be: "If you don't need it, don't run or allow it".

What would be best, and I'm still thinking about how to implement this,
is to replace pmud with a kernel module that mimics the APM
implementation. Then one can use 'standard' apm tools and have the
security of the /proc filesystem files discriminate between who can and
who cannot use it...

Thanks for you pointing me out this discussion, I will check the thread today!

Kind regards,
--
Stephan


Chris Leishman wrote:
> 
> Hi Stephan,
> 
> Just thought you should be aware of a discussion on the debian-powerpc mailing
> list about your pmud utility.  For the full thread, see the list archives
> available from the debian website (www.debian.org).  Thanks..
> 
> On Wed, Oct 18, 2000 at 11:36:46AM +0200, Michael Schmitz wrote:
> <snip>
> > > well... personally i would not want all users to be able to put my
> > > machine to sleep, remember that local user != console user.
> >
> > For a laptop machine? If you have a Powerbook permanently hooked up to the
> > network and dozens of users logged in, chances are it's on AC power and
> > you won't need pmud. Don't run it, then.
> >
> > > in this case a unix domain socket might be a nicer way to go since you
> > > can change the permissions to only allow a certain group access.
> >
> > Yeah, that would be the only benefit I can see, and Unix' permissions
> > model is too weak to bother.
> <snip>
> 
> Originally I didn't twig to the fact that pmud allows the connecting client to
> issue commands to sleep.  This is slightly concerning, and it would be good to
> restrict down to ensure only authorized users have access.  Authorization
> could be determined throught the use of a permission checked unix domain
> socket, or by some sort of authentication on the protocol.
> 
> However, Michael is right that the scope of the problem is such that spending
> excessive time working on this is really not necessary - since we're only
> talking about laptops that are mobile (not on AC).  In the rare event that
> someone does have a laptop that is being used as a server (and hence has
> multiple local users) then they can choose to not run pmud.
> 
> My suggestion for Michael is to add a short note to the pmud package (either
> in the docs directory, man page, or via debconf) to point out this.  That way
> everyone will be aware of this situation.
> 
> For Stephan, the author, I suggest that the tightening of this "feature" be
> added as a wishlist item for the program.
> 
> Chris
> 
>   ------------------------------------------------------------------------
>    Part 1.2Type: application/pgp-signature

--
Stephan Leemburg
JVC Nederland BV
De Heyderweg 2, 2314 XZ  LEIDEN
The Netherlands
phone: +31 (71) 5453310
fax:   +31 (71) 5453436



Reply to: