[77] in linux-security and linux-alert archive
SvgaLib (was Re: Secure setup for file transfert)
daemon@ATHENA.MIT.EDU (GLAUDE DAVID)
Thu Mar 9 14:08:08 1995
From: dglaude@is1.bfu.vub.ac.be (GLAUDE DAVID)
To: linux-security@tarsier.cv.nrao.edu
Date: Thu, 9 Mar 1995 15:10:01 +0100 (MET)
In-Reply-To: <Pine.HPP.3.90.950308233138.13403A-100000@central.surrey.ac.uk> from "Mr Martin J Hargreaves" at Mar 8, 95 11:33:14 pm
Reply-To: linux-security@tarsier.cv.nrao.edu
Mr Martin J Hargreaves said:
> On 7 Mar 1995, Panzer Boy wrote:
> > OB linux-security, SVGAlib with convfont being SUID root. Allows you to
> > write any files as root.
>
> Is this list going to be full disclosue like bugtraq? If so can
> we have details? Otherwise do you have a fix (other than only running
> SVGAlib programs as root).
>
> [Mod: We would prefer to focus on security enhancement and "hole"
> avoidance, detection, and fixes, rather than methods of exploitation]
Well, is there any way to secure program ussing svgalib.
It seems that to access vga io port you need some priviledge wich is an
increase of security (not anybody should be able to turn you screen upside
down). But because of the lack of security level in Unix (root or not root),
all program for Vga have to be run as root (I always log as root but don't
do as I do) or to be setuid root wich is a potential risk. (see above)
Is there any other solution than setuid root thoses programs (like gs with
the vga console driver). Shouldn't a solution be search ?
--
GLAUDE David dglaude@is1.ulb.ac.be [Glu]
I speak French: "Linux est l'unique Unix de Linus."
