[92] in linux-security and linux-alert archive
Re: SvgaLib (was Re: Secure setup for file transfert)
daemon@ATHENA.MIT.EDU (R.E.Wolff@et.tudelft.nl)
Fri Mar 10 05:10:18 1995
To: linux-security@tarsier.cv.nrao.edu
Date: Thu, 9 Mar 1995 21:37:00 +0100 (MET)
In-Reply-To: <9503091410.AA12809@is1e.vub.ac.be> from "GLAUDE DAVID" at Mar 9, 95 03:10:01 pm
From: R.E.Wolff@et.tudelft.nl
Reply-To: linux-security@tarsier.cv.nrao.edu
>
> Mr Martin J Hargreaves said:
>
> Well, is there any way to secure program ussing svgalib.
> It seems that to access vga io port you need some priviledge wich is an
> increase of security (not anybody should be able to turn you screen upside
> down). But because of the lack of security level in Unix (root or not root),
> all program for Vga have to be run as root (I always log as root but don't
> do as I do) or to be setuid root wich is a potential risk. (see above)
> Is there any other solution than setuid root thoses programs (like gs with
> the vga console driver). Shouldn't a solution be search ?
I have on several occasions mailed with Linus about this. What I
suggested is the following user appearance.
linux % ls -l /dev/vga-fb
crw-rw---- 1 root vga 1, 11 Jul 18 1994 /dev/vga-fb
linux % cat /proc/memdevs/11
000a0000 00020000
linux % ls -l /proc/memdevs/11
-rw-r--r-- 1 root root 0 Mar 9 21:23 /dev/memdevs/11
linux % su
Password:
linux # cat /proc/memdevs/12
00000000 00000000
linux # echo 00f00000 00100000 > /proc/memdevs/12
linux # cat /proc/memdevs/12
00f00000 00100000
linux # mknod /dev/mccd_card c 1 11
linux # chown wolff /dev/mccd_card
linux # chmod 700 /dev/mccd_card
linux # ls -l /dev/mccd_card
crw-rw---- 1 root vga 1, 12 Mar 9 1995 /dev/mccd_card
linux # exit
linux % id
uid=10030(wolff) gid=1000(users) groups=1000(users)
linux % mccd_program /dev/mccd_card
mccd> doit
done.
mccd> exit
Bye
linux %
Similar userinterface would go for the io-space devices. Opening an
io-space device would either allow any user to use ioperm, or would
immediately enable the io permissions a-la ioperm.
Linus seems not to be enthousiastic about this, I implemented it a few
times and lost the patches. When he promises he likes the idea, I'll
recode it from scratch (it isn't that much work). We might make a
little petition here in this group and "beg" him to put it in......
Roger Wolff.
