12:52 a.m.
The zhcon package was added to FC6 and FC7 extra recently. But there is
a issue of it that we may need to notice.
Because it need to access /dev/fb0 and so on, it need the setuid
permission, so normal users can use it too. This bring the security
risk. But for users' convenience, I didn't remove this setuid
permission.
It is still better don't install zhcon by default. Let's user install it
manually.
Maybe we can use ACL to controll this?
3:14 a.m.
Hu Zheng wrote:
The zhcon package was added to FC6 and FC7 extra recently. But there
is
a issue of it that we may need to notice.
Because it need to access /dev/fb0 and so on, it need the setuid
permission, so normal users can use it too. This bring the security
risk. But for users' convenience, I didn't remove this setuid
permission.
It is still better don't install zhcon by default. Let's user install it
manually.
Maybe we can use ACL to controll this?
To me it looks like a perfect job for SElinux. But I might be wrong, I
am just learning...
3:34 a.m.
Yes, I will try to learn selinux and create a patch for zhcon and
selinux :)
Thanks for your idea :)
在 2007-04-03二的 11:14 +0300,Manuel Wolfshant写道:
Hu Zheng wrote:
> The zhcon package was added to FC6 and FC7 extra recently. But there is
> a issue of it that we may need to notice.
>
> Because it need to access /dev/fb0 and so on, it need the setuid
> permission, so normal users can use it too. This bring the security
> risk. But for users' convenience, I didn't remove this setuid
> permission.
> It is still better don't install zhcon by default. Let's user install it
> manually.
>
> Maybe we can use ACL to controll this?
>
To me it looks like a perfect job for SElinux. But I might be wrong, I
am just learning...
6:55 a.m.
The zhcon package was added to FC6 and FC7 extra recently. But there
is
a issue of it that we may need to notice.
Because it need to access /dev/fb0 and so on, it need the setuid
permission, so normal users can use it too. This bring the security
risk. But for users' convenience, I didn't remove this setuid
permission.
It is still better don't install zhcon by default. Let's user install it
manually.
Maybe we can use ACL to controll this?
Shouldn't pam set the framebuffer owner to the current console user? When
I look at the /dev/fb0 permissions on my system I see this:
% ls -l /dev/fb0
crw------- 1 bress root 29, 0 Apr 3 07:53 /dev/fb0
There should be no need to give zhcon the setuid bit as I already have the
permissions I need.
--
JB
6243
days inactive
6243
days old
security@lists.fedoraproject.org
3 comments
3 participants
participants (3)
-
Hu Zheng -
Josh Bressers -
Manuel Wolfshant