Since getting a full-screen requires being root,
I set the owner of my binary to root and set SUID flag
with:
chown root mtvp; chmod +s mtvp
But SDL_Init() prints the following message:
Warning: This set-uid program may be a security risk
That’s because your program now has full root priveliges when it
runs. I really don’t recommend doing this because it’s very likely
that your program has subtle flaws which can be exploited to give
root access to people logged in remotely. Even if you have done a
complete security analysis of your program, SDL is large enough that
I have not verified that it’s safe for set-uid programs.
Is there any way to prevent this message ?
Remove it from the source.
Also, what is the reason why root permissions are
necessary to use full-screen ? Why couldn’t the X
server let anyone go full-screen (as long as
no-one else is using the full-screen mode) ?
The X server gets the address of the linear frame-buffer by mmap()'ing
/dev/mem, which is controlled by the permissions on the device. Secure
systems set that device as readable only by root. If you open the
permissions of that device, then untrusted programs can read any part
of the machine’s physical memory – not a good idea.
This is a current limitation of Linux and people are working right now
to find alternatives to requiring root priveliges for graphics.
Look in Linux 2.2+ for a solution. SDL will support the best one out
there, when it becomes available.
Since getting a full-screen requires being root,
I set the owner of my binary to root and set SUID flag
with:
chown root mtvp; chmod +s mtvp
But SDL_Init() prints the following message:
Warning: This set-uid program may be a security risk
That’s because your program now has full root priveliges when it
runs. I really don’t recommend doing this because it’s very likely
that your program has subtle flaws which can be exploited to give
root access to people logged in remotely. Even if you have done a
complete security analysis of your program, SDL is large enough that
I have not verified that it’s safe for set-uid programs.
So you suggest that people should “su” each time before
running our software ? Kind’a not very convenient…
Is there any way to prevent this message ?
Remove it from the source.
I don’t want to patch the source, and I don’t want to have
to tell my customers/users that they should patch the source
of a library and rebuilt it. IMHO libraries should
not print spurious messages or warning on stdout or
stderr (except in debug mode)… we all know that set-uid
programs are a possible security risk!
Also, what is the reason why root permissions are
necessary to use full-screen ? Why couldn’t the X
server let anyone go full-screen (as long as
no-one else is using the full-screen mode) ?
The X server gets the address of the linear frame-buffer by mmap()'ing
/dev/mem, which is controlled by the permissions on the device. Secure
systems set that device as readable only by root. If you open the
permissions of that device, then untrusted programs can read any part
of the machine’s physical memory – not a good idea.
Sure, but the X server itself is set-uid, so it should be able
to do that without my program being set-uid too.
This is a current limitation of Linux and people are working right now
to find alternatives to requiring root priveliges for graphics.
Even in the current situation, since XFree86 is running set-uid root,
why can’t SDL ask the X server to do the protected operations ?
Of course, it is probably not as simple…
Since getting a full-screen requires being root,
I set the owner of my binary to root and set SUID flag
with:
chown root mtvp; chmod +s mtvp
But SDL_Init() prints the following message:
Warning: This set-uid program may be a security risk
That’s because your program now has full root priveliges when it
runs. I really don’t recommend doing this because it’s very likely
that your program has subtle flaws which can be exploited to give
root access to people logged in remotely. Even if you have done a
complete security analysis of your program, SDL is large enough that
I have not verified that it’s safe for set-uid programs.
So you suggest that people should “su” each time before
running our software ? Kind’a not very convenient…
True, but it’s the most secure way of doing this right now.
I’ll remove the message from the library, but I recommend that in
your installation you provide a HUGE warning that setting the mtvp
program set-uid root is a security risk.
Sure, but the X server itself is set-uid, so it should be able
to do that without my program being set-uid too.
The user-program needs to do the mmap() to get the address in its
address space, therefore the user-program needs to be set-uid root.
Like I said, there are several solutions to this coming down the pike,
but none are ready for general use yet.
Since getting a full-screen requires being root,
I set the owner of my binary to root and set SUID flag
with:
chown root mtvp; chmod +s mtvp
But SDL_Init() prints the following message:
Warning: This set-uid program may be a security risk
That’s because your program now has full root priveliges when it
runs. I really don’t recommend doing this because it’s very likely
that your program has subtle flaws which can be exploited to give
root access to people logged in remotely. Even if you have done a
complete security analysis of your program, SDL is large enough that
I have not verified that it’s safe for set-uid programs.
So you suggest that people should “su” each time before
running our software ? Kind’a not very convenient…
True, but it’s the most secure way of doing this right now.
I’ll remove the message from the library, but I recommend that in
your installation you provide a HUGE warning that setting the mtvp
program set-uid root is a security risk.
Sure, but the X server itself is set-uid, so it should be able
to do that without my program being set-uid too.
The user-program needs to do the mmap() to get the address in its
address space, therefore the user-program needs to be set-uid root.
Like I said, there are several solutions to this coming down the pike,
but none are ready for general use yet.
You could also do what XFree86 does and provide a secure, setuid wrapper
binary that runs the program. Make sure that the wrapper, which does need
to be setuid, isn’t doing anything insecure like creating /tmp races,
buffer overflows, etc.On Tue, 15 Dec 1998, Sam Lantinga wrote:
Scott M. Stone <sstone at pht.com, sstone at pht.co.jp>
Head of TurboLinux Development/Systems Administrator
Pacific HiTech, Inc (USA) / Pacific HiTech, KK (Japan)