[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: So much for Skype.

On Mon, May 23, 2011 at 06:29, Ron Johnson <ron.l.johnson@cox.net> wrote:
> I was thinking of setuid() magic.

Again an OS issue, not a Skype issue. I agree that since root must
install Skype, and since root then owns Skype, the application might
setuid. But this is an OS feature, not a Skype feature. How is this
not a concern with any other closed-source application that one must
install? I could understand derailing the thread into a closed-source
vs. open-source debate, which while very productive would not address
the issue at hand.

For that matter, though, I do agree that setuid is a security risk and
not well mitigated. Maybe the issue needs to be dealt with already:
how would you suggest changing the kernel behaviour to mitigate the
risk? A warning or log entry each time an application uses setuid? At
install, at runtime, or both? Something else?

Dotan Cohen


Reply to: