> this is about the HylaFAX Facsimile Software copyrighted by Sam > Leffler and Silicon Graphics, Inc but available for free. While we're discussing HylaFAX...I have no flaws like the one mentioned to report. But the thing is designed in a way that makes it damn near impossible to run it "cordoned off". I spent several hours ripping out checks for uid==0 in various pieces of it, trying to make it run as non-root (I knew damn well no root privilege was fundamentally needed for the functions I wanted, nor indeed for most of its functions). I eventually gave up and am now using efax instead, which is much closer to what I wanted anyway and doesn't give a damn who it runs as as long as it can read the page images and talk to the modem. (I didn't know efax existed when I first looked at HylaFAX, or I would have tossed the latter much sooner.) Anything that takes me hours of struggling to make it run as non-root is not something that gives me the warm fuzzies about running on my system; at the very least, it most certainly is not designed from a "least privilege" mindset! I find it hair-raising to think that most admins probably would happily hand it the keys to their system and never even think that the copy they got might have been tampered with, or even just plain have a bug - like the one that prompted the message I'm responding to. If HylaFAX had been done right, that bug would have exposed at most the fax user, instead of probably (I haven't looked to see which of the affected pieces run as root) root - though I suspect that with HylaFAX installed, compromising the fax user is probably just one trivial step away from getting root anyway. Pursuant to the "vendor notification" thread: I haven't told Sam Leffler. The documentation makes it clear he does not want to hear anything about HylaFAX unless accompanied by patches, and I don't have a functioning run-as-non-root setup to generate patches from. Shrug. If it were properly[%] designed, it wouldn't demand root anyway. [%] "properly" from a security-weenie perspective. der Mouse mouseat_private 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:22 PDT