[Xastir] Trap for Young and Old

[Curt, WE7U]

On Wed, 18 Jun 2014, Jason KG4WSV wrote:

>> chmod 4755 /usr/local/bin/xastir
>
> This is not a good idea - from a security standpoint it's very bad, and unless xastir is designed to drop/escalate the euid as needed you will end up with files in the users directory that are owned by root, leading to other problems.

Xastir does this, but would you want to trust security of your system to a bunch of hobbyists?  ;-)

We do what we can, but I wouldn't say Xastir has been thoroughly gone through from a security standpoint.  It's better than a lot of programs, as we took care when writing/modifying that portion of code, but there are no guarantees.


> The problem isn't xastir, it's ax25 networking. Maybe someone can offer a fix (e.g. udev rule) to solve the actual problem?

Technically it isn't a problem:  The AX.25 networking port is implemented similarly to ethernet ports in terms of permissions.

For Xastir to be able to access the port, it needs root privileges.  Since it is a bad idea to run Xastir as root, you run it as a normal user but do the "chmod 4755" thing against the executable.  Hopefully those people who run that command have some idea of the implications to security.  Because of this it was decided NOT to put it into the script.  Those that need it can run the command separately, and hopefully read up on what it means prior.

-- 
Curt, WE7U.        http://wetnet.net/~we7u
APRS Client Capabilities:  http://wetnet.net/~we7u/aprs_capabilities.html