I'm gathering from the feedback I've gotten that I may have been
overly-harsh. I especially feel rather silly knowing that everyone else in
the known universe doesn't make GUI apps suid. Well, experience is a great
teacher, and let's just say I've learned a lot. Thanks for the input guys,
and apologies to the GTK+ team - it seems I was wrong after all.

-----Original Message-----
From: Dan Stromberg [mailto:strombrgnis.acs.uci.edu]
Sent: Thursday, January 04, 2001 5:19 PM
To: Bryan Porter
Subject: Re: gtk+ security hole.

Hmmmmmmm...

How surprising to see a Qt rant in there. :-S

Actually, I wouldn't recommend running Qt setuid either. GUI programs
shouldn't be setuid. Look at all the trouble we've had with xterm.
It should have had a setuid helper program from the beginning.

On Wed, Jan 03, 2001 at 03:30:10PM -0600, Bryan Porter wrote:
> I'm sorry, but this seems a bit much for me. My car has tires, and because
> the tires are kind of bad and over-engineered, I should'nt drive over
10MPH
> because they might explode? What? Fix the tires. Same thing here.
>
> "Don't make GTK+ program suid/setgid because it's based on another project
> with multiple potential vulnerabilites." Absolutely ridiculous. "Our tires
> suck because we bought cheap rubber." What?
>
> Bottom line, if GTK+ is broken, fix it. And if it can't safely run suid,
> then it is horribly broken. It's a graphic library for christs sake. And,
if
> it so full of spaghetti code that it can't easily be fixed, then trash it.
> But the excuses given are ridiculous, period. No professional project
would
> ever stand for this level of ineptitude. Qt works fine suid. And it's
quite
> cross-platform.

--
Dan Stromberg                                               UCI/NACS/DCS

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]