On 8/18/20 11:11 AM, Patrick Shanahan wrote:
* ken <gebser@mousecar.com> [08-18-20 10:54]:
Checking out my newly installed system, I found in "ss -tulpn" this:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess ... tcp LISTEN 0 5 [::]:16001 [::]:* users:(("pulseaudio",pid=5819,fd=45))
...
5819 is the pid for /usr/bin/pulseaudio, which is a networked sound server, but is 16001 the proper port? It's listed in /usr/etc/services as:
fmsascon 16001/tcp # Administration Server Connector [Mark_Davidson]
(This is one of several ports used by the well known FileMaker.)
Moreover:
# rpm -Vf /usr/bin/pulseaudio .M....... g /var/lib/pulseaudio
It's odd that (1) the mode of this "file" should not match the rpm database, especially considering it's an empty directory. And what does the "g" mean?
Also
# ls -ld /usr/bin/pulseaudio -rwxr-xr-x 1 root root 92352 Jul 22 14:17 /usr/bin/pulseaudio
which means that the process listening on an open port is owned by and running as root, which I'd consider a security vulnerability. why do you suppose the instance is running as root. the binary being owned by root does not mean than, you will notice that group and users have execute permissions. check ps -u |grep pulseaudio
valid point. It still could be a vulnerability, not one which gained root access, but stil access to the account of the user invoking it. It's the reason why apache opens ports as wwwrun, which denies login and in other ways is more secured than a regular user account. Do you find the other items mentioned above similar on your system(s)? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org