[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: recent gpm DoS issue

On Fri, Jul 28, 2000 at 07:16:09PM -0800, Ethan Benson wrote:
> On Fri, Jul 28, 2000 at 08:11:12AM +0000, Jim Breton wrote:
> > Yup, some of that is mentioned in the documentation... nevertheless, it
> > would be a big improvement over making the socket world-writable.
> perhaps, or perhaps only trusted users should be granted gid=mouse.  

That can be part of the solution.  The idea is to only give trusted
users write access to the device.  So, you can solve that two ways: a)
give them gid mouse (or group membership) as you mentioned, or b) give
these same users temporary group membership using PAM (group.conf).

No, it's not totally secure, but if you are only doing this for "trusted
users" (e.g., those who have console access) that is at least as good as
giving them permanent membership in that group.

IOW, comparing "permanent membership" vs. "temporary membership with the
threat of permanent membership," I would choose the latter.  But, either
way works (and equally important, is better than what we have now).

> that means you have to play games with the initscript to change its
> permissions.. 

Yup.  Until we have a package which sets restricted permissions on its
own, when it creates the socket.  :-{

Reply to: