Thanks for the reply!
The way I look at this is from the perspective of risk. There are two scenarios
for crossing privilege boundaries:
- the local user attacking colord via malicious DBus calls (to gain colord
privs)
- an external user attacking colord via inserted media (to gain colord privs)
If we don't scan media by default, then the entire external attack goes
away.
If colord doesn't run as root, then a local attacker gains very little
from attacking colord.
The reason I'm so nervous about this is because colord is effectively a
direct path to lcms parsing. Any user can trigger the lcms parser _as
the root user_, and lcms has a non-zero history of security flaws:
low(2): CVE-2009-0581 CVE-2009-0793
medium(3): CVE-2008-5317 CVE-2009-0723 CVE-2009-0733
I would much prefer this daemon run as some "colord" system user instead
of as root. The default for any daemon should be to run with least
privilege.
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5317
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0581
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0723
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0733
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0793
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/823185
Title:
[MIR] colord
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/colord/+bug/823185/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
