For HAL users: [Fwd: FreeBSD Security
Advisory FreeBSD-SA-06:25.kmem]
Tom McLaughlin
tmclaugh at sdf.lonestar.org
Wed Dec 6 11:13:11 PST 2006
On Wed, 2006-12-06 at 13:11 -0500, Joe Marcus Clarke wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Pav Lucistnik wrote:
> > Tom McLaughlin píše v st 06. 12. 2006 v 12:40 -0500:
> >
> >> This affects anyone with HAL setup properly according to our port's
> >> defaults and uses firewire.
> >>
> >> I like changing the default group to wheel since most Gnome users on
> >> Free will probably already be a part of wheel. I'll stop beating the
> >> dead horse now. ;)
> >
> > Wasn't this talked to death with the result, that wheel group must be
> > reserved for users capable of running 'su' *only* ?
> >
> >
>
> wheel _and_ operator are not going to work, but one or the other should
> be fine. However, hal is not the only GNOME component to use operator.
> While we do suggest that users that need to mount remote volumes be
> in the operator group, HAL itself is not vulnerable to this problem, and
> I don't think we need to change our operating procedure for something
> that will not be an issue moving forward.
I just want to point out the idea of changing the default group was a
friendly jab after I lost the argument the first time. Hence the ';)'
at the end. Humor doesn't always carry over the tubes well. :-/
I know hal isn't vulnerable. Only forwarded the message because of this
portion of the advisory.
---
Note also that FreeBSD does not have any non-root users in the
"operator" group by default; systems on which no users have been added
to this group are therefore also not vulnerable.
---
It wasn't until a few minutes later that I realized that Gnome users
would probably have non-root users in the group. I figured it was worth
a heads up.
>
> For administrators of shared systems, they can decide how best to
> proceed. They can either choose to patch the system, temporarily change
> the HAL group, or disable HAL altogether. For users of personal
> workstations, they will most likely not care.
>
> I do think that airing this on the mailing list is a good thing, though,
> as it will make users aware of the issue. Perhaps this also warrants an
> addition to the known issues list.
>
> Joe
>
> - --
> Joe Marcus Clarke
> FreeBSD GNOME Team :: gnome at FreeBSD.org
> FreeNode / #freebsd-gnome
> http://www.FreeBSD.org/gnome
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFdwfDb2iPiv4Uz4cRAks5AKCQxlCgaxWO7JetoQ4M3cSZ11lCrwCfa1EY
> dpe7vR7AEWOQctJwU0y+Ans=
> =Wd3l
> -----END PGP SIGNATURE-----
--
| tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org |
| FreeBSD http://www.FreeBSD.org |
| BSD# http://www.mono-project.com/Mono:FreeBSD |
More information about the freebsd-gnome
mailing list