For HAL users: [Fwd: FreeBSD Security Advisory FreeBSD-SA-06:25.kmem]

Tom McLaughlin tmclaugh at sdf.lonestar.org
Wed Dec 6 11:13:11 PST 2006 

On Wed, 2006-12-06 at 13:11 -0500, Joe Marcus Clarke wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Pav Lucistnik wrote:
> > Tom McLaughlin píše v st 06. 12. 2006 v 12:40 -0500:
> > 
> >> This affects anyone with HAL setup properly according to our port's
> >> defaults and uses firewire.
> >>
> >> I like changing the default group to wheel since most Gnome users on
> >> Free will probably already be a part of wheel.  I'll stop beating the
> >> dead horse now. ;)
> > 
> > Wasn't this talked to death with the result, that wheel group must be
> > reserved for users capable of running 'su' *only* ?
> > 
> > 
> 
> wheel _and_ operator are not going to work, but one or the other should
> be fine.  However, hal is not the only GNOME component to use operator.
>    While we do suggest that users that need to mount remote volumes be
> in the operator group, HAL itself is not vulnerable to this problem, and
> I don't think we need to change our operating procedure for something
> that will not be an issue moving forward.

I just want to point out the idea of changing the default group was a
friendly jab after I lost the argument the first time.  Hence the ';)'
at the end.  Humor doesn't always carry over the tubes well. :-/

I know hal isn't vulnerable.  Only forwarded the message because of this
portion of the advisory.

---
Note also that FreeBSD does not have any non-root users in the
"operator" group by default; systems on which no users have been added
to this group are therefore also not vulnerable.
---

It wasn't until a few minutes later that I realized that Gnome users
would probably have non-root users in the group.  I figured it was worth
a heads up.

> 
> For administrators of shared systems, they can decide how best to
> proceed.  They can either choose to patch the system, temporarily change
> the HAL group, or disable HAL altogether.  For users of personal
> workstations, they will most likely not care.
> 
> I do think that airing this on the mailing list is a good thing, though,
> as it will make users aware of the issue.  Perhaps this also warrants an
> addition to the known issues list.
> 
> Joe
> 
> - --
> Joe Marcus Clarke
> FreeBSD GNOME Team	::	gnome at FreeBSD.org
> FreeNode / #freebsd-gnome
> http://www.FreeBSD.org/gnome
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFFdwfDb2iPiv4Uz4cRAks5AKCQxlCgaxWO7JetoQ4M3cSZ11lCrwCfa1EY
> dpe7vR7AEWOQctJwU0y+Ans=
> =Wd3l
> -----END PGP SIGNATURE-----
-- 
| tmclaugh at sdf.lonestar.org             tmclaugh at FreeBSD.org |
| FreeBSD                                   http://www.FreeBSD.org |
| BSD#                    http://www.mono-project.com/Mono:FreeBSD |

More information about the freebsd-gnome mailing list