Re: tlug: Permissions on /dev/audio, et al

["Stephen J. Turnbull" <turnbull@example.com>]

>>>>> "Scott" == Scott Stone <sstone@example.com> writes:

    Scott> I don't see any reason why letting people access /dev/dsp,
    Scott> /dev/audio creates a security risk at all...

    >> The obvious one: denial of service.

    Scott> How could you do a DOS attack using /dev/audio?

Wrong question.  "How can you do a DOS attack *on* /dev/audio?" is the
right one.  You may not care, but my blind acquaintance would.

Unless you can prove monetary damages, shutting down /dev/audio for a
millisecond and shutting down the whole PCI bus for a millisecond are
equally denial of service in the eyes of the law.

True, none of this matters if you have no interlopers in your system.
But anytime you lose control of any of your system facilities, it's a
security breach.

There is also a "real" DOS attack I can think of.  My sound driver has
some kind of debugging enabled, and by inducing buffer overruns one
could fill the system logs.

Far-fetched?  Of course.  Impossible?  No.

BTW, I _love_ that acronym:  (MS-)DOS == "denial of service"!!

Steve

---------------------------------------------------------------
Next TLUG Nomikai: 11 March Wed 1998 Tengu TokyoEkiMae 19:30
Chuo-ku, Kyobashi 1-1-6, EchiZenYa Bld. B1/B2 03-3275-3691
Next TLUG Meeting: 11 April 1998 Saturday, Tokyo Station
Featuring Tague Griffith of Netscape i18n talking on source code
---------------------------------------------------------------
a word from the sponsor:
TWICS - Japan's First Public-Access Internet System
www.twics.com  info@example.com  Tel:03-3351-5977  Fax:03-3353-6096