[maemo-developers] Security Guidance for N800 OS development

From: Eero Tamminen eero.tamminen at nokia.com
Date: Thu Feb 22 09:24:30 EET 2007

ext Gustavo Sverzut Barbieri wrote:
>   - canola-conf listen to (can be changed using
> GConf), it's a webserver that serves HTML, JS, ... it's written using
> libsoup and actions (/actions/ClassName/{get,set}_data and
> /actions/ClassName/get_presentation) is written in C, for objects that
> implement CnlIConfigure interface, so far I wrote them all. I'm still
> not aware of any buffer overflow that could compromise the device.
> Worth remembering that it runs as "user", not root.

"user" user can do anything in the device that the device owner can
through the the device UI, so in practice this does *not* prevent
compromised process from doing _anything_ that matters.

To be more secure:
- run the process e.g. as user "nobody", this way it cannot
   ruin user's settings, files, install other SW (through sudo) etc
- nice the process, so that it cannot take all the CPU
- use ulimit so that the process memory usage is limited more
   than user application's, otherwise it may be able to get
   some of user's apps to abort when memory runs low
   - AFAIK kernel OOM-handler should be able to handle fork-bombs too
- chroot it to its work directory, so that it cannot read
   anything outside it

With this it can still fill the Flash which might require user
to reflash the device (unless he's a Linux developer who knows
how to eliminate the offending the program and find what is taking
all the Flash).  Ulimit has a setting for limiting the file sizes,
but I'm not sure whether that's enough to prevent process from
filling the device Flash.

	- Eero

More information about the maemo-developers mailing list