> > Short of recompiling with the port 879 bind/listen disabled? No. And I
> > don't think this is required. I'm in no mood to summarize the argument on
> > that point again - pmud is only accessible to the local user, and it
> > _should_ be accessible to the local user. If you can't trust the local
> > user not to put your machine to sleep (that's all they can do), tough
> > luck.
>
> well... personally i would not want all users to be able to put my
> machine to sleep, remember that local user != console user.
For a laptop machine? If you have a Powerbook permanently hooked up to the
network and dozens of users logged in, chances are it's on AC power and
you won't need pmud. Don't run it, then.
> in this case a unix domain socket might be a nicer way to go since you
> can change the permissions to only allow a certain group access.
Yeah, that would be the only benefit I can see, and Unix' permissions
model is too weak to bother.
> being able to restrict access to only the most trusted of users also
> reduces risks of potential security holes that could be found. (i
> assume pmud runs as root?)
The commands read from the TCP port are read into a fixed buffer, using a
fixed size, and copied to malloces storage later. Can't see a buffer
overflow there ... anything else you're concerned about?
> > BTW: pmud listening to commands (like 'sleep' or 'power') on a socket is a
> > feature, not a bug. The benefits of this feature outweigh the potential
> > risk for typical laptop computer use.
>
> yes i agree with this, but i think a unix domain socket would probably
> be a better choice in this case. the localhost only port is not that
> bad but is simply not as flexible.
I think it's a red herring. And I'm not the maintainer of pmud anyway, I
just package pmud. Please take your concerns to Stephan.
Michael
