POV-Ray: Newsgroups: povray.general: Security Issues in Povray?: Re: Security Issues in Povray?

POV-Ray : Newsgroups : povray.general : Security Issues in Povray? : Re: Security Issues in Povray?		Server Time 6 Aug 2024 08:14:40 EDT (-0400)

From: Vahur Krouverk
Date: 22 Apr 2002 14:18:02
Message: <3CC45432.8040603@comtrade.ee>

ncryptor wrote:
[Snip]
 > A possible exploit of this could be to gain access to a computer running
 > pov as part of a render farm. The command line for pov depends on the
 > information sent from the server to the client farmer, so an exploiter
 > could spoof information and gain access to the user's computer.
 >

Yes, it is possible, but such exploits are usually used with programs,
running under root authority ('suid programs'). Does POV-Ray run under 
root authority? Does it need to run under root authority? I guess that 
in both cases answer is No. So even if someone used such exploit, then 
all he gains, is ordinary user's authority. And renderfarms could limit 
user rights for running POV-Ray to minimum (possibility to read scene 
files and write output file into predefined directory).
[Disclaimer: I'm not expert in Unix/Linux security, so there might be 
something I'm missing.]

Post a reply to this message