how is pulseaudio supposed to work?

Lennart Poettering mzerqung at 0pointer.de
Wed Dec 19 16:07:50 UTC 2007


On Wed, 19.12.07 16:44, Nicolas Mailhot (nicolas.mailhot at laposte.net) wrote:

> > Hmm? What does dmix have to do with microphones?
> 
> You raised the security argument. Mere mortals like Simo only see
> actual potential security problems with microphones. (running a wide
> open dmix is a small security problem but no one here is asking to mix
> the active desktop session beeps with the background music started out
> of this  session)

Uh? dmix is not involved with recording audio.

However, dmix has two problems if you open it up for other users: you
can use it to capture whatever the other users play [1], and you get
more access to the other processe's internals than is safe. I.e. you
can make the other process freeze, burn CPU and so on.

> Note that:
> - being able to cut audio resources from other applications just by
> logging in is a DoS in security-speak.

Ah! that's good. The last time I tried to run "rm /etc/fstab" as a
normal user all I got back was "Access denied". I never came to the
conclusion that this should be considered a "Denial of service". But
indeed, we should consider all "Access denied" errors to be "Denial of
service" exploits. Let me prepare those mails to bugtraq...

> - if you can log in a system there are many more attack vectors than
> audio devices (let alone that most of the time people will have also
> physical access so they can leave a small recorder next to the
> computer)

This. Is. Just. Great.

> - pushing many users to hack manually around rigid security rules that
> forbid common use-cases has not been known to improve security
> overall.

It. Gets. Even. Better.

Lennart

Footnotes:

[1] And I certainly don't want other people using my machine to spy on
    my VoIP calls or listen into the audio track of my very private
    porn videos! ;-)

-- 
Lennart Poettering                        Red Hat, Inc.
lennart [at] poettering [dot] net         ICQ# 11060553
http://0pointer.net/lennart/           GnuPG 0x1A015CC4




More information about the fedora-devel-list mailing list