On Wed, Jan 03, 2001 at 09:32:29AM -0800, Kris Kennaway wrote:
> On Wed, Jan 03, 2001 at 10:40:33AM -0500, Owen Taylor wrote:
> > What follows is the official GTK+ team position on this matter. (It
> > can be found at http://www.gtk.org/setuid.html as well.) The summary
> > is that we don't consider it a problem because writing set[ug]id
> > programs with a GUI toolkit is simply a bad idea and not supported for
> > GTK+.
>
> Why not force the issue and abort in GTK startup if issetugid() (for
> those platforms which have it)?

Actually, aborting on issetugid() ("Are you now, or have you ever
been, a privileged exeutable?") probably won't work acceptibly for
programs which revoke all privileged resources before calling GTK. Of
course, if GTK does not abort, and a program drops only some
privileges (e.g. only setuid()'ing from root) this still allows
hijacking of any privileged resources the application still retains,
such as network sockets and open file descriptors.

Perhaps the best thing would be to force a global variable to be set
in privileged GTK apps to allow them to run (bypassing the issetugid()
abort), so that developers have fair warning of insecurity, but the
ability to override it if they truly believe themselves to be safe
(e.g. the GNOME games case or programs which revoke privilege and all
privileged resources)

Kris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6VGarWry0BWjoQKURAhmHAJ49qdJKg/nNuVh11ayAf+QhraimSgCgvzk7
q6+CpdeleeUb/EZP3FXsung=
=f+pc
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]