In the text below, please remember I have no position
on this. I'm just
asking some questions, not interrogating!
Could you please turn OFF that SPOTLIGHT!! :-)
I think the
only risk (that I know off) would be an application that
hangs the machine because there is an infinite loop or lockup in the
audio thread (which is the one that runs with SCHED_FIFO - realtime
schedulling). The capabilities granted by jackstart to jackd (thus to
the jack clients) do not allow the process access to arbitrary files.
Is this true for all applications running on a capabilities enabled kernel,
or just those that are granted capabilities by jackstart?
That is true of any app that uses SCHED_FIFO scheduling, regardless of
how they switch into SCHED_FIFO (and regardless of which kernel they are
running on).
In the case of jack and a capabilities enabled kernel, provided you do
not run apps as root, applications granted special capabilities through
jackstart will be able to wedge the machine if improperly programmed.
Other applications will not receive any special capabilities and will
not be able to wedge the machine.
Is the concern clear? Could a particularly nasty
person create a program
replace some file used by jackstart of a Jackified application, that could
open up the permissions you've granted?
Meaning grant more capabilities than just "allow you to switch into
SCHED_FIFO"? Yes, of course. A "hacked" jackstart/jack would be able to
do that. You could give jack clients any capabilities you wanted. But of
course any program that is hacked can be made into an evil program :-) A
hacked jack _client_ would not be able to receive any more than what
jackstart/jackd gives.
On this kernel could that nasty person create a
program that exploits these
capabilities in ways beyond what you are granting?
Meaning a clever programmer just creating a jack client? No, I don't
think so (but what do I know?). As long as jack is not changed then it
will just give a given set of capabilities, a client can only receive or
get what is given.
But jackstart does not have a monopoly on using capabilities. Any
program can use them in a capabilities enabled kernel. But to "exploit"
capabilities you have to initially be root (jackstart is suid root for
that reason). But, if you are root somehow and want to do nasty things,
you don't really need capabilities at all.
Maybe it's of no concern. I don't know. I
think one of the advertised
advantages of Linux is its security. However, one of the weaknesses is that
people download source, of which they have no real knowledge, build and
install as root, and then try out.
Yup. Any time you do something as root you are vulnerable.
PlanetCCRMA really reduces this weakness
as we get precompiled binaries with folks like you to help protect us.
Yes and no. While I take care with what I build there are no guarantees.
In that sense I'm not that different from a "regular" user, obviously it
would be impossible for me to security audit all software...
However, if some nasty person out there wants to
exploit this potential
weakness then they could cause problems for people getting source from the
net, and I think the 'capabilities enabled kernel' *may* make these
weaknesses greater??
Not really. If some nasty person wants to create problems it does not
need to use capabilities. The very fact that normally users build
software as root is more than enough (ie: create a software project with
a fancy name, make users install it as root and in the process create a
back door for latter hacking). Ugly and simple.
-- Fernando