I've been experimenting with sending sms.
One of the available programs for this is smstools. Smstools requires the sender of the sms to write to a directory that the sms daemon monitors.
However, Fedora requires root permissions to write to that directory. Debian requires that you are the smsd user (who is a member of the dialout group). Neither system gives write privileges to a group.
Now, from the point of view of a user interacting with these packages, both provide the annoying problem that a set-uid binary is required, simply to send an sms.
However, i think this is also a security hole as well. Not in the actual package, but in that to use the package, a normal user must go through a privilege escalation process. Every system that wants to send an sms has to therefore write their own custom set-uid script/binary, causing the un-necessary potential for set-uid bugs/system takeover.
The Debian package of course only has the potential to elevate to smsd, but since smsd has the potential to send unlimited sms and erase all trace of it, the horror is still pretty real.
Does a security bug against these packages seem justified?
