LCDproc development and user support list

Text archives Help


[Lcdproc] config_get_string


Chronological Thread 
  • From: joris AT robijn.net (Joris Robijn)
  • Subject: [Lcdproc] config_get_string
  • Date: Tue Dec 4 00:16:02 2001

> > Not so sure...
> > Someone with local access and a way to modify the config file could
> > trigger the problem. So maybe a local exploit is possible.
>
> Yes, possible ;)
> So shouldn't configfile.c check that already?
> I mean, a device file of let's say 100 chars wouldn't be that normal ;)
> Have you already done that, Joris?

No that's not done. I don't think it is possible, because we don't
know what kind of values a programmer wants to read from the config
file. I have a hardlimit of 200 right now.

But maybe it is a good idea to only allow clean characters. Even
then, you can compose a string with escaped special characters, so
you _can_ get special chars in a string.

But if you run LCDd as root, the config file should be writable by
root only (maybe staff or wheel). Just like all daemons, seems to me.
We could check that...

It's better to focus some attention to the socket vulnerability.

Joris

--
Joris Robijn
<joris AT robijn.net>
Home: 053 4311 553
Mobile: 06 288 41 964

// To understand recursion, we must first understand recursion




Archive powered by MHonArc 2.6.18.

Top of page