Florian Weimer wrote:
* Alessandro Selli:
Beep is installed SUID root in Debian Wheezy. This is
unnecessary. In order to overcome tty ioctl issue, expecially when
running in an Xterm, these capabilities should instead be set to the
/usr/bin/beep executable:
CAP_DAC_OVERRIDE,CAP_SYS_TTY_CONFIG=ep
CAP_DAC_OVERRIDE is essentially root-equivalent. It allows snooping
passwords entered on TTYs, for example, or read key material from the
disk which can then be used to impersonate users and services. So I'm
doubtful this adds much security, especially if beep already drops
privileges early (which I haven't checked).
Of course beep could do these things, if it wanted to or if it could
be tricked into doing so while it enjoys the effective capabilities.
But it could do even more, much more if it was run SUID root, as these
are only two of the 37 capabilities a kernel 3.14 can handle.
CAP_DAC_OVERRIDE is root-equivalent only as far as the DAC is concerned.
Regards,
--
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiave firma PGP/GPG signing key: B7FD89FD
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
