nagler@uunet.uu.net (Robert Nagler) (03/14/89)
mephdbo%prism@gatech.edu (d. majumder) writes: >Is there any way to prevent people not logged onto the console to execute >screenload with rasterfiles. The moderator goes on to say: >... It would be nice if the frame buffer device was only accessible >by the person logged on to the console. How about a set-uid program that >changes the ownership .... Then no one else could open it. ... --wnl Given that the selection_svc runs with the user id of the person who started suntools after the last reboot (whew!) and NOT with the user id of the person running suntools at the time, I think this wouldn't work too well (unless you don't "share" workstations). [[ That's a security hole, by the way. I consider it a bug. --wnl ]] I remember an incident when a co-worker put a setkeys command in their ".login" (without special checks). This worked fine until the user rlogin'ed to someone else's workstation. It's amazing how much confusion this caused. A server based system like X or News at least avoids some of these problems inherent in the design of suntools. However, I don't believe the designers of X or News have bothered to implement security features of this kind. (Rumor has it that window system designers have formed a society to save the nearly extinct April Fool's Day prankster.) Rob Nagler / nagler%olsen.uucp@uunet.uu.net
martin%EASBY.DURHAM.AC.UK@cunyvm.cuny.edu (Martin Ward) (03/14/89)
We use a small set-uid root program called "suntools.sec" which changes
ownership of /dev/fb to the person logged into the console and sets
permissions on it to 600, and then runs suntools. When suntools terminates
it sets the ownership and permissions back to normal. It seems to work ok
with no problems (only problem I have had is doing an su and then trying
to run a grapgics program. Solution is to do "chgrp <some group I am in
and the userid i am su-ing to is in. ie staff>" and chmod 666 /dev/fb.
This is possible because I own /dev/fb while suntools is running).
Martin.
[[ I think he meant "660" instead of "666". --wnl ]]
My ARPANET address is: martin%EASBY.DUR.AC.UK@CUNYVM.CUNY.EDU
JANET: martin@uk.ac.dur.easby BITNET: martin%dur.easby@ac.uk
UUCP: ...!mcvax!ukc!easby!martin