Not sure wether we are affected by this one: The yiff server, by default, will run as the root user, even though it only requires privileges to access the audio devices (/dev/dsp and /dev/mixer), no effort is make by the package to create an specific user and run the server as such. This means that this opens up yiff-server to, at least, local attacks, since the localhost is always allowed access to the yiff server. Thus, a rogue (local) user can get the yiff-server to (try to) open up any local file. This can have bad consequences if a local user forces the yiff server to open up a device file if even reading it might be dangerous (consider the case, for example, if you can make the server read a hard disk drive). The server does not make any effort to review the files it is requested, it will just open whatever is provided and try to determine if it's a Wav, Voc, or Raw file and try to play it. This day and age, servers like yiff should run a) under a non-priviledged user b) chrooted, if possible, so that it will only be able to access a set of files c) do input checks to prevent it from going places it did not expect, for example, the server could only allow relative patchs and resolve them to a fixed directory (/var/spool/yiff or whatever) It looks like the code of the server has not been audited for security issues, which adds even more reasons to have this running as non-root in the default Debian installation. Regards Javier
I guess we would run it as user in the "sound" group... No "need" to run as root under Gentoo I guess. vapier, your opinion as the yiff guy ?
We don't provide an init script afaict so it's more the responsability of the user to choose under which rights it would run. But it should nevertheless be fixed (either documenting the problem or adding filters on what should not be opened). Setting to Default Configs.
CC'ing maintainer (sorry for the delay).
Sound please advise.
As vapier added and bumped it in the past, probably he's the one who should take care of this. I saw eradicator done some work on that, but he's occupied and I don't have knowledge of yiff to help, and probably the same for the rest of sound herd.
vapier any news on this one?
Vapier any news on this one?
I don't see anything calling yiff as root. As Koon pointed out there is also no initscripts. And no config files. (just docs) ; A user should be no more inclined to run this as root more than any other program. This bug imo can be closed as is unless we want to audit the source for fun.
Thx Solar.