Re: Using gconf in setuid program?
- From: Mark McLoughlin <markmc redhat com>
- To: David Zeuthen <david fubar dk>
- Cc: gconf-list gnome org
- Subject: Re: Using gconf in setuid program?
- Date: Tue, 28 Jun 2005 08:22:29 +0100
Interesting question; thinking it through:
- You'd want to be sure to read the system-wide config only:
+ You need to do this because you don't want to read root's config
and the parsing of the GConf path file uses env variables
+ There should be a way of doing that apart from loading
xml:readonly:/etc/gconf/gconf.xml.defaults since the system-wide
config isn't guaranteed to only be there.
+ For now, you'd have to use xml:readonly:/etc/gconf/gconf.xml.defaults
but that's not suce a bad thing since you can be sure what
backend is loaded and that the config is read from a
- You'd want to use direct mode rather than gconfd-2:
+ Obviously don't want another process
+ There'd be much more code to audit if you didn't
+ gconf_engine_get_local() isn't in the public API, though
- The total amount of code to audit given direct mode, single data
source and using GConfEngine to get a bool is not huge at all
- I'm not 100% sure whether g_module_open() with a known-safe absolute
path is secure from a setuid() program - pretty sure it is looking
at glibc's ELF loader code, but that would need to be checked more
So, I'm not seeing obviously wrong with using libgconf in direct mode
with a hard-coded data source address. But it would certainly be useful
to get more people to look at it before going ahead with it.
] [Thread Prev