On Tue, 28 Dec 1999, Dirk Koopman wrote:
> On 23-Dec-1999 Tomi Manninen wrote:
> > On Thu, 23 Dec 1999, Leszek A. Szczepanowski wrote:
> >
> >> Is ANY posibility to use unproto list (raw socket), running
> >> FBB as ordinal user, not root? I was looking in kernel
> >> sources, and found in AF_AX25 there is one 'suser' function
> >> checking if user has priviledges to open such a socket.
> >> I think it is uneseseary there, security solutions in this
> >> case aren't needed! What a stupid reason. If I'll make
> >> patch, to open raw socket for AX25 by any user, it will
> >> be placed on this list.
> >
> > Please don't distribute such bugs on this list. There are good reasons for
> > why the unix security model is as it is. Besides, doing what you want
> > (running FBB as non-root) would be fairly simple to do the right way. If
> > you want to be usefull, just help Jean-Paul in doing that.
>
> Erm.. a "bug"? I am not at all sure that this is a "bug". I also cannot, for
> the life of me, see why a "feature" of this sort cannot be discussed here.
Well, of course it can be discussed. Maybe my reaction was too strong.
> I would like to hear the reasons why this feature is "root only", especially
> bearing in mind that computers running ax25 should be amateur use only.
Amateur use only? Why?
> Running ax25 stacks on "commercially sensitive" machines especially with
> ax25 programs running as root (UI generating or not) strikes me a security
> exploit waiting to happen!
There is _NO_ need to have root privileges after opening the socket! Just
drop them and suddenly you have 100% secure application. The stack it self
should be secure. Unless some bright one decides to distribute a patch
removing super user checks...
> For the record, I too would like to be able to both receive and generate
> UI frames from programs that are non-root. This is going to become an issue
> during the course of the year with my DXSpider cluster program.
Generating UI frames as non-root is easy, just use a datagram socket.
Receiving should be just as easy but I haven't tested. Of course you are
then restricted to your own source call.
--
--- Tomi Manninen / [EMAIL PROTECTED] / OH2BNS @ OH2RBI.FIN.EU ---
