Re: So much for Skype.
On Mon, May 23, 2011 at 06:29, Ron Johnson <email@example.com> wrote:
> I was thinking of setuid() magic.
Again an OS issue, not a Skype issue. I agree that since root must
install Skype, and since root then owns Skype, the application might
setuid. But this is an OS feature, not a Skype feature. How is this
not a concern with any other closed-source application that one must
install? I could understand derailing the thread into a closed-source
vs. open-source debate, which while very productive would not address
the issue at hand.
For that matter, though, I do agree that setuid is a security risk and
not well mitigated. Maybe the issue needs to be dealt with already:
how would you suggest changing the kernel behaviour to mitigate the
risk? A warning or log entry each time an application uses setuid? At
install, at runtime, or both? Something else?