Re: [PLUG] the most serious vuln (today)

Rich Freeman on 11 Apr 2018 08:25:14 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] the most serious vuln (today)

From: Rich Freeman <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] the most serious vuln (today)
Date: Wed, 11 Apr 2018 11:25:07 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=1kau/xtBb1w0aNUHRCFcAXZoai0a2xQIYnFRrwd28K8=; b=Obr9fXAQLwKgJbIJyPUsLlg2itUvqRaiZI2rnN5mzVVP1Zsp0M6JfI5DyiJcJRrb51 N8nzyYGqMbAfnA4y43G+louCQ3/yHzMkuH6lS0LA/4ep3Zn/d7h+3MsZkdQ7utREehwV unQHLiSdi/VEH/3wJGBL01whJYmE7SiwWwEMo1XhBceaKLCdMJqf0L5TOfWV7XXeTP8Q 20Ca/QqjZw5iSDJCaQA53+gaZaUzRmyAtLEhA9RY6I1D/5uCDZsG08ihVdGNbkPFGBCJ 45CvIQ2p0LqiCGF1vhYBzGq1xLr8+dh5p+UVlKSkvauk+532khG0Qk8p40idgFXcVysZ xnKQ==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Wed, Apr 11, 2018 at 11:03 AM, Fred Stluka <fred@bristle.com> wrote:
> On 4/9/18 1:24 PM, Rich Freeman wrote:
>>
>> On Mon, Apr 9, 2018 at 12:25 PM, jeff<jeffv@op.net>  wrote:
>>>
>>> https://www.securityweek.com/vulnerabilities-found-linux-beep-tool
>>
>> Hmm, Gentoo does not install beep by default, and when it is installed
>> it does not set the suid bit by default.  It has also been fixed on
>> Gentoo anyway.  I have to imagine most distros will be patching this.
>>
> Interesting...  I never knew there was an official beep command.
> I wrote one myself 30 years ago.  It's a shell script that simply echoes
> a Ctrl-G character.  I later added a feature to echo a text string as well
> as beeping.
>

I think the intent of the beep program (especially if installed suid)
is for programs to be able to beep the speaker WITHOUT having write
access to the system console or audio devices (such as for a daemon).

Echoing Ctrl-G is a superior solution for console-oriented software,
because for remote connections it will beep the user's terminal, and
not the system console (which could be on the other side of the planet
in a datacenter).

I believe the intent of the beep command is to only beep the system
speaker itself.  Perhaps it might be used by some kind of daemon to
get an operator's attention/etc.  Really though I don't see the point
as it tends to conflate the more desktop-oriented experience (where
the user should have write access to console/audio/etc) and the more
server-oriented experience (where there are certainly better ways to
do monitoring, especially since that little PC speaker doesn't scale
well when you have racks of servers in a noisy room, possibly remotely
administered).

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] the most serious vuln (today)
  - From: Fred Stluka <fred@bristle.com>

References:
- [PLUG] the most serious vuln (today)
  - From: jeff <jeffv@op.net>
- Re: [PLUG] the most serious vuln (today)
  - From: Rich Freeman <r-plug@thefreemanclan.net>
- Re: [PLUG] the most serious vuln (today)
  - From: Fred Stluka <fred@bristle.com>

Prev by Date: Re: [PLUG] the most serious vuln (today)
Next by Date: Re: [PLUG] the most serious vuln (today)
Previous by thread: Re: [PLUG] the most serious vuln (today)
Next by thread: Re: [PLUG] the most serious vuln (today)
Index(es):
- Date
- Thread