Ghostscript, LD_LIBRARY_PATH, and the uid of hfaxd and faxq

To: Hylafax Mailing List <flexfax@sgi.com>
Subject: flexfax: Ghostscript, LD_LIBRARY_PATH, and the uid of hfaxd and faxq
From: Nico Garcia <raoul@cirl.meei.harvard.edu>
Date: Fri, 16 Jan 1998 12:15:41 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----

I just reminded myself the hard way that ghostscript needs to have the
X11 libraries compiled in with "-L/usr/openwin/lib" or
"-L/your-local-X-libraries" for HylaFAX, since faxq gets at it and is
operating as root. This means it will ignore the LD_LIBRARY_PATH under
SunOS, even if it is set in ps2fax.

This does raise a security concern. Would it be possible with the
latest revisions to run faxq and hfaxd as the UID for "fax", rather
than having them run as "root"? What is the trade-off or disadvantage?
I realize that hfaxd and faxq does a number of uid changes. Are these
sufficient, and should we review that behavior for security holes.

			Nico Garcia
			Engineer, CIRL 
			Mass. Eye and Ear Infirmary
			raoul@cirl.meei.harvard.edu

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNL+VlD/+ItycgIJRAQFoCwP/Yw8gEa9F4n2HvsNvOIX8Viw2PP+F3RDF
6FlyV+f0jC7uCUw67JoVpPFGz4ycDA+dVej7Rma13dgcH7BlRjwQGDBkcJFtx+sG
vQ7s4mdDcI617L9l0E2Mm8+Wp1LrhovTeQVmrDbZOeUMG5O/1sLWqlvE2PozwEHR
Fa1xJUvemEs=
=cH/t
-----END PGP SIGNATURE-----

Prev by Date: HylaFax Setup
Next by Date: Hylafax 4.0pl1: allowing empty TSI
Prev by thread: HylaFax Setup
Next by thread: Hylafax 4.0pl1: allowing empty TSI
Index(es):
- Main
- Thread

Report any problems to webmaster@hylafax.org

HylaFAX is a trademark of Silicon Graphics Corporation.
Internet connectivity for hylafax.org is provided by:
VirtuALL Private Host Services