On Mon, Oct 25, 2004 at 09:07:10AM -0400, Neal D. Becker wrote: > Arjan van de Ven wrote: > > > On Mon, Oct 25, 2004 at 05:59:57AM -0700, Barry K. Nathan wrote: > >> On Mon, Oct 25, 2004 at 02:44:56PM +0200, Arjan van de Ven wrote: > >> > why would sound stuff need to be setuid root ? the PAM console code > >> > will make sound devices accessible to local users already. > >> > >> So it can run at realtime scheduling priority? > > > > sounds like a bad idea to me... > > > Why? I was going to ask that too, but then I Googled and found this: http://kdenews.unixcode.org/?node=news&action=article;18 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=266760 http://bugs.kde.org/show_bug.cgi?id=88401 http://bugs.kde.org/show_bug.cgi?id=86426 Even if artsd isn't running as root, the fact that it obtains realtime priority (via a setuid artswrapper) lets it take down the system (whether with an intentional denial-of-service attack or because of accidental bugs). -Barry K. Nathan <barryn@xxxxxxxxx>