changes in esound CVS (security and multiple recording)



New release of esound is planned early.
Some changes was done in CVS code from last version:


- Esound now supports multiple recording clients.

- Esound security improved.

Please check the latest CVS version before its release.


Testers are welcome.



I plan to add AM_ESD_SUPPORTS_MULTIPLE_RECORD version check to esd.m4
before release.



There are security problems of old esound. 1, 2 and 3 should be fixed
just now, 4 still remains.

1) Race condition exploit, any user:
for(;;;){rmdir("/tmp/.esd");symlink("/etc/passwd","/tmp/.esd");}
I have not actually tested it, but I expect non-zero probability of success.

2) Standard condition exploit, non-root user only:
Suppose there is file /path/xxx with permissions r--------, owned by esd launcher.
ln -s /path/xxx /tmp/.esd
Now wait for user starts esound. Wow, now /path/xxx is rwxrwxrwx!!!

3) rm -r /tmp/.esd/* can be done by any user. If I do mkdir/tmp/.esd ;
chmod o+wx /tmp/.esd before anybody starts esd, esd doesn't check
permissions of socket. Possible exploits are only "access to forein
sound".

4) Dedicating a shell account on machine with esd and microphone also means
dedicating of "room listening account".
Example: Suppose dedicated account "generic"
su -c esd
su generic -c esdrec sounds_in_room
(looking though strace data are really read wia esd)


-- 
Stanislav Brabec




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]