From: David Craven <david@craven.ch>
To: "David Craven" <david@craven.ch>,
"Ludovic Courtès" <ludo@gnu.org>,
"Marius Bakke" <mbakke@fastmail.com>,
guix-devel <guix-devel@gnu.org>
Subject: Re: Add murmur.
Date: Sun, 12 Feb 2017 15:37:14 +0100 [thread overview]
Message-ID: <CAL1_immGbTFrBo7=7oqJgwn6qTh34PbwfGsBeHrh+zGLK=7njg@mail.gmail.com> (raw)
In-Reply-To: <20170212140234.xno3tzpzgvndirt3@wasp>
> You read too much between the lines in my words.
> I'm not counting on the certifications of Harmut. I simply agree with
> the reasoning that no client and server should be combined if possible
> to limit the attack surface. That's all.
That may be true. It was my intention to back Ludo. I think that it is a minor
issue at best, since anything that isn't accessible over the network or running
with any sort of privileges is not very useful.
An attack usually involves exploiting a service for remote code
execution, followed
by privilege escalation and finally securing access to the system and
cleaning up
traces.
This is an unprivileged binary on a server, and it isn't even running.
Exploiting any
bugs in the client would require starting the client first. This means
that an attacker
has already gained physical access or is able to perform remote code execution.
This hypothetical attacker is trying to escalate privileges. I don't
see how starting
an unprivileged process would help with that.
But then again - I'm not an expert and don't have any credentials - so
I'd be interested
to know if there is a way of exploiting this.
next prev parent reply other threads:[~2017-02-12 14:37 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-01 20:43 Add murmur contact.ng0
2017-02-01 20:43 ` [PATCH] gnu: mumble: Add 'murmur' output contact.ng0
2017-02-01 21:15 ` Add murmur ng0
2017-02-09 16:50 ` Ludovic Courtès
2017-02-09 18:20 ` ng0
2017-02-09 22:50 ` Ludovic Courtès
2017-02-10 21:39 ` ng0
2017-02-10 21:54 ` Marius Bakke
2017-02-10 22:15 ` ng0
2017-02-11 14:31 ` Ludovic Courtès
2017-02-11 14:39 ` ng0
2017-02-12 13:37 ` Ludovic Courtès
2017-02-12 13:53 ` ng0
2017-02-12 13:57 ` David Craven
2017-02-12 14:02 ` ng0
2017-02-12 14:37 ` David Craven [this message]
2017-02-12 17:01 ` Hartmut Goebel
2017-02-12 17:42 ` pelzflorian (Florian Pelz)
2017-02-13 14:15 ` Ludovic Courtès
2017-02-12 17:54 ` David Craven
2017-02-14 10:13 ` Hartmut Goebel
2017-02-14 9:00 ` ng0
2017-02-12 12:23 ` server and client in one package -> security issue (was: Add murmur) Hartmut Goebel
2017-02-12 12:31 ` ng0
2017-02-12 12:53 ` David Craven
2017-02-12 16:52 ` server and client in one package -> security issue Hartmut Goebel
2017-02-13 14:13 ` Ludovic Courtès
2017-02-14 10:28 ` Hartmut Goebel
2017-02-14 11:19 ` Andy Wingo
2017-02-14 9:16 ` server and client in one package -> security issue (was: Add murmur) Danny Milosavljevic
2017-02-14 9:51 ` ng0
2017-02-14 10:44 ` server and client in one package -> security issue Hartmut Goebel
2017-04-24 7:01 ` Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAL1_immGbTFrBo7=7oqJgwn6qTh34PbwfGsBeHrh+zGLK=7njg@mail.gmail.com' \
--to=david@craven.ch \
--cc=guix-devel@gnu.org \
--cc=ludo@gnu.org \
--cc=mbakke@fastmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.