The zhcon package was added to FC6 and FC7 extra recently. But there is a issue of it that we may need to notice.
Because it need to access /dev/fb0 and so on, it need the setuid permission, so normal users can use it too. This bring the security risk. But for users' convenience, I didn't remove this setuid permission. It is still better don't install zhcon by default. Let's user install it manually.
Maybe we can use ACL to controll this?
Hu Zheng wrote:
The zhcon package was added to FC6 and FC7 extra recently. But there is a issue of it that we may need to notice.
Because it need to access /dev/fb0 and so on, it need the setuid permission, so normal users can use it too. This bring the security risk. But for users' convenience, I didn't remove this setuid permission. It is still better don't install zhcon by default. Let's user install it manually.
Maybe we can use ACL to controll this?
To me it looks like a perfect job for SElinux. But I might be wrong, I am just learning...
Yes, I will try to learn selinux and create a patch for zhcon and selinux :) Thanks for your idea :)
在 2007-04-03二的 11:14 +0300,Manuel Wolfshant写道:
Hu Zheng wrote:
The zhcon package was added to FC6 and FC7 extra recently. But there is a issue of it that we may need to notice.
Because it need to access /dev/fb0 and so on, it need the setuid permission, so normal users can use it too. This bring the security risk. But for users' convenience, I didn't remove this setuid permission. It is still better don't install zhcon by default. Let's user install it manually.
Maybe we can use ACL to controll this?
To me it looks like a perfect job for SElinux. But I might be wrong, I am just learning...
The zhcon package was added to FC6 and FC7 extra recently. But there is a issue of it that we may need to notice.
Because it need to access /dev/fb0 and so on, it need the setuid permission, so normal users can use it too. This bring the security risk. But for users' convenience, I didn't remove this setuid permission. It is still better don't install zhcon by default. Let's user install it manually.
Maybe we can use ACL to controll this?
Shouldn't pam set the framebuffer owner to the current console user? When I look at the /dev/fb0 permissions on my system I see this:
% ls -l /dev/fb0 crw------- 1 bress root 29, 0 Apr 3 07:53 /dev/fb0
There should be no need to give zhcon the setuid bit as I already have the permissions I need.
security@lists.fedoraproject.org
-
Hu Zheng -
Josh Bressers -
Manuel Wolfshant