[MPlayer-dev-eng] [PATCH] adjusting nice level from config/command line

Brian J. Murrell e64313b7d2df232b74394a855608d4bc at interlinx.bc.ca
Mon May 27 18:05:32 CEST 2002 

On Mon, May 27, 2002 at 12:39:34PM +0200, Wojtek Kaniewski wrote:
> 
> maybe just unix philosophy isn't right enough for today's applications?

Perhaps not.  I think that is why POSIX capabilities were introduced,
although they look like they are headed for the closet as even their
chief promoter has had second thoughts on whether they are a good
solution or not.

> because it's uncomfortable. you could decode some video stream to raw
> rgb frames and put them on the screen as well, but i suppose you don't
> watch movies that way. yes, i could run mplayer as root, but that's not
> the way.

Instead, provide a binary that will allow anyone that can get at your
box r00t it?  That is just silliness.

> could you point any errors in this patch?

Well, you are advertising that with your patch, you can suid-root
MPlayer.  I don't see anywhere in your patch where you give up root
permissions after you have done everything you need to do as root.
The basics of suid-root is to immiately do whatever you need root
access to do and then to drop root priviledges (back to the user that
owns the process) so that the process cannot be used to exploit the
machine.

> i don't understand why it is
> ,,improper and insecure''.

Because with your patch, the process _never_ gives up root privillege.
Very bad.  That means that every line of MPlayer code could
potentially give a non-root user root access.  However if the first
thing main() did was your nice() then dropped root privillege, the
security risk is much mitigated.

> increasing priority was one of the examples.
> it can be also used to decrease priority when decoding video or audio
> stream to a file.

Yeah, that is fine, but don't retain root longer than it is needed.

> the documentation already points that making mplayer a suid executable
> is insecure on DGA's example. well, why don't just remove DGA support?
> isn't it improper and insecure?

I don't know the details of DGA and why giving root for it's access is
insecure so I can't comment on this.

> besides, i assumed

Never assume.

> that _every_ user taking advantage of increasing
> mplayer's priority using ,,-nice -19'' will know what are the risks
> of giving suid.

Especially never assume regarding security.

b.

-- 
Brian J. Murrell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/attachments/20020527/b84575ec/attachment.pgp>

More information about the MPlayer-dev-eng mailing list