On Mon, 13 Dec 2010, Samuel Thibault wrote: > That depends what you consider as security risks. No buffer overrun is > enough for not compromising the kernel. Being able to change the way the > speech synthesizer (that the owner of the machine uses to be able to > control it) simply by being logged as a mere user on the machine, that > might be considered as a security risk. Think of it as being able to > change the text font of the VGA console, you don't really want to allow > users to be able to do that. You also have potential Denial of Service > by setting the volume to zero, setting the speed at maximum, etc. etc. > > Samuel Hi Samuel: You could consider it a security risk in a highly unlikely situation although I would rate it as more of an iritation than a security risk. As you point out if the owner/admin at the console is being teased/bother/whatever by someone logged into the machine then they can easily just remove the offending user. One needs to sit back from the hypothetical situation and think about it logically. I am a person in exactly the hypothetical situation you are trying to suggest. I am the administrator of a computer lab of many machines of various opperating systems. Many students and colleagues have access to these systems on a daily basis. I have never seen anything even close to the type of condition we are hypothetically discussing. I work for a very large university. My question of curiosity is simply to determine why this is a possible concern in a very unlikely event. If something is a security risk then we need to determine what it is and how to fix the problem rather than having security through obscurity. BTW, I aggree with Chris that the best solution from my perspective is to set-up a speakup group and use group writable bits. I really don't think that is any less of a security risk however. -- Kirk Reiser The Computer Braille Facility e-mail: kirk at braille.uwo.ca University of Western Ontario phone: (519) 661-3061
