Bugzilla – Bug 347822
AUDIT-0: PulseAudio permissions
Last modified: 2009-10-14 01:51:08 UTC
I just submitted a new pulseaudio package, from http://download.opensuse.org/repositories/home:/rodrigomoya:/pulseaudio/ and came to the /usr/bin/pulseaudio which, as we found in the Fedora package, needs special SUID permissions to be run as a system daemon for all users. We are yet not 100% sure this is needed, since the first version of the package from Takashi didn't need this, but it might be needed for multi-user environments AFAIK. Need auditing from security team
System daemons should be started during boot-up therefore no setuid is needed.
a very brief look at PulseAudio shows that it uses the setuid root only for getting the CAP_SYS_NICE capability and then drops the setuid things. (although badly, without return value checking *sigh*) So it is user-based, but with setuid root for switching to realtime/fifo scheduliong (haven't looked for the code). having it without setuid root 755 now will work fine for testing while we review and report bugs.
anything happened here?
closing
CVE-2008-0008: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)