On Wed, 19 Oct 2005, Javier [UTF-8] Fern??ndez-Sanguino [UTF-8] Pe??a wrote: > I don't have a patch available, but I could write one that: > > a) modifies the postinst/postrm to create a 'yiff' user (might need to belong > to the 'audio' group too) > b) modifies the init script to run yiff-server as the 'yiff' user instead of > as > root > c) creates /var/run/yiff/ so that the pidfile can be created by the program > there (the directory should belong to 'yiff' so it needs to be created on > package installation by root)
Those three points should fix the problem you've identified. I wouldn't worry about the other two bugs you filed -- I should be able to tidy those up within a few weeks (I hope!). > That would mitigate the risk a lot, another improvement, which might need to > change code in the source package include limiting file calls to only access > a given directory and reject absolute paths (i.e. those including a '/') > from client requests. That would prevent remote attacks to the server by > having it read files that a remote user would not have access otherwise. Probably not worth the effort right now: it's been previously suggested that the only depending package (searchandrescue) should use something else for its audio support. I might investigate that again. Alternatively, we could suggest this to upstream. Cheers, Phil.
