From: Todd S. <ts...@op...> - 2007-02-02 16:19:25
|
Samium Gromoff <_de...@ma...> writes: > Ingvar wrote: >> Samium Gromoff wrote: >> > Juho Snellman wrote: >> > > Running SBCL with suid sounds like a really bad idea in any case. >> > >> > I am writing a parport-poking piece of code (a JTAG debugger), >> > which requires extended permissions... >> > >> > If there is a way of having raw parport access without suid, >> > i would be happy to know.. >> >> If it presents as a device file it MIGHT be doable to just change permissions >> on the device (or group or owner). Can't say I've ever poked raw parallel >> ports under any unix, so wouldn't know off-hand (though I've installed parport >> printers and they definitely used device files). > > Unfortunately, this is supposed to be production software, so requiring > the end user to make changes to their systems which have non-trivial > security implications is not acceptable... That would be funny if it weren't so misguided. Apparently, you think that changing the group ownership and permissions on a single device file has "non-trivial security implications", but installing a suid-root sbcl doesn't. You do realize that a suid-root sbcl will allow anyone on the system to do anything they want as root? It's effectively the same thing as installing a setuid root shell. You can just run SB-EXT:RUN-PROGRAM on /bin/sh, and you've basically got a root shell. -- Todd Sabin <ts...@op...> |