[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [coldsync-hackers] Snapshot: 2.0.0

To: coldsync-hackers@lusars.net
Subject: Re: [coldsync-hackers] Snapshot: 2.0.0
From: Erik Forsberg <forsberg@lysator.liu.se>
Date: 25 Feb 2001 19:43:10 +0100
Delivered-To: coldsync-hackers-outgoing@wallace.lusars.net
In-Reply-To: Andrew Arensburger's message of "Tue, 20 Feb 2001 10:12:49 -0500"
References: <20010220101249.C60652@baa.ooblick.com>
Reply-To: coldsync-hackers@lusars.net
Sender: owner-coldsync-hackers@wallace.lusars.net
User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7

>>>>> "Andrew" == Andrew Arensburger <arensb+CShackers@ooblick.com> writes:

    Andrew> type of connection ("serial", "usb", or "net").  In daemon
    Andrew> mode, ColdSync establishes a connection with the Palm,
    Andrew> reads its serial number, username and userid, looks those
    Andrew> up in /usr/local/etc/palms, then setuid()s to the
    Andrew> appropriate user, and runs a normal sync.  Here's a sample
    Andrew> /usr/local/etc/palms:

I hope nobody gets offended by this message, but.. Has anyone thought
about the security implications of this? 

I haven't checked the code, so it might very well be the perfect
example of a setuid() application, but I've seen far to many reports
of applications using setuid() with security holes not to
react. Especially since coldsync is a network-enabled daemon.

Perhaps there is another way of doing this? Because the functionality
is of course a thing we want.

Perhaps one could run the coldsync daemon as a special user that's
member of a special group, and then the individual .palm-directories
of coldsync-using users could be write enabled for the special
group. Or something like that. Of course this adds complexity.

Something else that would be nice to have is a one-user daemon
mode where coldsync runs as a daemon for one user on one
computer. Useful for a standalone workstation. Or is that
perhaps possible with the current daemon code?

I emulate this with coldsync 1.4.6 with a shell script that looks like
this:

while coldsync ; do ; done

Works quite OK, but a daemon would look better :-).

\EF
-- 
Erik Forsberg                 http://www.lysator.liu.se/~forsberg/
GPG/PGP Key: 1024D/0BAC89D9 <forsberg@lysator.liu.se> 
Key Fingerprint: B308 87FC 566E 825A 5ABC  247C AC9B AB14 0BAC 89D9

-- 
This message was sent through the coldsync-hackers mailing list.  To remove
yourself from this mailing list, send a message to majordomo@thedotin.net
with the words "unsubscribe coldsync-hackers" in the message body.  For more
information on Coldsync, send mail to coldsync-hackers-owner@thedotin.net.

Follow-Ups:
- [coldsync-hackers] Re: Security considerations
  - From: Andrew Arensburger <arensb+CShackers@ooblick.com>

References:
- [coldsync-hackers] Snapshot: 2.0.0
  - From: Andrew Arensburger <arensb+CShackers@ooblick.com>

Prev by Date: Re: [coldsync-hackers] Snapshot: 2.0.0
Next by Date: [coldsync-hackers] Re: Security considerations
Previous by thread: Re: [coldsync-hackers] Snapshot: 2.0.0
Next by thread: [coldsync-hackers] Re: Security considerations
Index(es):
- Date
- Thread