[gtk-web/issue-47] Add back the setuid.html page

[Emmanuele Bassi <ebassi src gnome org>]

commit 8a1ac07e479b457617ee4c9dd910095aeb046063
Author: Emmanuele Bassi <ebassi gnome org>
Date:   Sun Apr 19 21:06:33 2020 +0100

    Add back the setuid.html page
    
    The page is referenced by GTK's source code in a user-visible error
    message, and we need to maintain the URL.
    
    Fixes: #47

 README.md   |  1 +
 setuid.html | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+)
---
diff --git a/README.md b/README.md
index c056f0e..f62761a 100644
--- a/README.md
+++ b/README.md
@@ -57,6 +57,7 @@ The data used by the site is stored in the form of following files:
     ├── package-lock.json
     ├── package.json                        #contains node dependencies for the site.
     ├── README.md
+    ├── setuid.html                         #referenced by GTK's source code
     └── setup.sh                            #script for setting up the website
 
 ## Contributing
diff --git a/setuid.html b/setuid.html
new file mode 100644
index 0000000..dac8d76
--- /dev/null
+++ b/setuid.html
@@ -0,0 +1,63 @@
+{% include header.html %}
+
+{% include navbar.html %}
+
+<div class="container py-4 d-flex align-items-center justify-content-center" style="min-height: 100vh;">
+  <div class="row justify-content-center">
+    <div class="col-12 col-sm-8 d-flex flex-column align-items-center">
+      <h3 class="text-center">Why GTK_MODULES is not a security hole</h3>
+      <div class="w-100 py-3 px-3">
+        <p>GTK supports the environment variable <code>GTK_MODULES</code> which specifies arbitrary
+        dynamic modules to be loaded and executed when GTK is initialized. It is somewhat similar to
+        the <code>LD_PRELOAD</code> environment variable. However, this (and similar functionality
+        such as specifying theme engines) is not disabled when running <code>setuid</code> or
+        <code>setgid</code>. Is this a security hole? No. Writing <code>setuid</code> and
+        <code>setgid</code> programs using GTK is bad idea and will never be supported by the GTK
+        team.</p>
+
+        <p>You should not write <code>setuid</code> GTK programs because:</p>
+
+        <p>GTK is too big. GTK+-2.0 and its dependent libraries (ignoring Xlib) total over 600,000
+        lines of code. For GTK+-3.0 (ignoring backend specific and image loading libraries), this
+        figure is over 800000 lines of code.</p>
+
+        <p>GTK is too complex. GTK takes input from dozens of sources, from drag-and-drop, to
+        root-window properties, to keyboard input, to configuration files. This is a much broader
+        scope for compromises than a typical server and makes auditing GTK especially tricky.</p>
+
+        <p>Security of GTK requires the security of the underlying windowing system backend. The
+        GTK team is not prepared to make that guarantee. Security bugs have been found in the
+        recent past in such areas of Xlib as the input method code.</p>
+
+        <p>You should not make your GUI setuid at all. Why run the risk of security bugs in code
+        that does not need to be running with elevated privileges?</p>
+
+        <p>In the opinion of the GTK team, the only correct way to write a <code>setuid</code>
+        program with a graphical user interface is to have a <code>setuid</code> backend that
+        communicates with the non-<code>setuid</code> graphical user interface via a mechanism
+        such as a pipe and that considers the input it receives to be untrusted.</p>
+
+        <p>For this reason, no effort is made in GTK to disable the obvious ways that you could
+        compromise a setuid GTK program - <code>GTK_MODULES</code> and the ability for the user
+        to specify theme engines, because we consider this to be only papering over the fundamental
+        problems of writing <code>setuid</code> programs with any GUI toolkit. GTK may be modified
+        in the future to simply refuse to run with elevated privileges, though it does not do this
+        currently.</p>
+
+        <p>Does this mean that there are no security considerations for GTK? No. In particular
+        image loaders have been and will continue to be an area of special care, since users may
+        load images from untrusted sources. And in addition to the possibility of this variety of
+        exploit, most potential security holes are essentially bugs and even as mere bugs, must
+        be squashed. To help accomplish this goal, GTK extensively uses high-level data structure
+        abstractions which minimize the risk of most traditional buffer overflows.</p>
+
+        <p>However, the secure <code>setuid</code> program is a 500 line program that does only
+        what it needs to, rather than a 800,000 line library whose essential task is user
+        interfaces.</code>
+      </div>
+    </div>
+  </div>
+</div>
+
+{% include scripts.html %}
+{% include footer.html %}