diff options
author | Eric S. Raymond <esr@thyrsus.com> | 2005-04-29 18:04:44 +0000 |
---|---|---|
committer | Eric S. Raymond <esr@thyrsus.com> | 2005-04-29 18:04:44 +0000 |
commit | 15ef9420ea6112b537c20b42d33aabf10a1fba80 (patch) | |
tree | 1182cfa0eee0b619fbc702535dbf4cdadaeba93d /HACKING | |
parent | cc77a34ab2dd0d73ce4b3acec52d7f5b37ab71b6 (diff) | |
download | gpsd-15ef9420ea6112b537c20b42d33aabf10a1fba80.tar.gz |
Note about privilege-dropping.
Diffstat (limited to 'HACKING')
-rw-r--r-- | HACKING | 11 |
1 files changed, 8 insertions, 3 deletions
@@ -118,9 +118,8 @@ that might call gps_poll() without such a guarantee. ** Security Issues Between versions 2.16 and 2.20, hotplugging was handled in the most -obvious obvious way, by allowing the F command to declare new GPS -devices for gpsd to look at. Because gpsd runs as root, this had -problems: +obvious way, by allowing the F command to declare new GPS devices for +gpsd to look at. Because gpsd runs as root, this had problems: 1) A malicious client with non-root access on the host could use F to point gpsd at a spoof GPS that was actually a pty feeding bogus @@ -152,6 +151,12 @@ untrusted and for saferty's sake should treat GPS data as untrusted too (in particular this means never assuming that either source won't try to overflow a buffer). +Daemon versions after 2.21 drop privileges after startup, setting UID +to "nobody" and GID to whichever group owns the GPS device specified +at startup time -- or, if it doesn't exist, the system's +lowest-numbered TTY device named in PROTO_TTY. It may be necessary to +change PROTO_TTY in gpsd.c for non-Linux systems. + ** Autoconfiguration One of the design goals for gpsd is to be as near zero-configuration |