Re: Using gconf in setuid program?

From: Mark McLoughlin <markmc redhat com>
To: David Zeuthen <david fubar dk>
Cc: gconf-list gnome org
Subject: Re: Using gconf in setuid program?
Date: Tue, 28 Jun 2005 08:22:29 +0100

Hey David,
	Interesting question; thinking it through:
 
 - You'd want to be sure to read the system-wide config only:
     + You need to do this because you don't want to read root's config 
       and the parsing of the GConf path file uses env variables
     + There should be a way of doing that apart from loading
       xml:readonly:/etc/gconf/gconf.xml.defaults since the system-wide 
       config isn't guaranteed to only be there.
     + For now, you'd have to use xml:readonly:/etc/gconf/gconf.xml.defaults
       but that's not suce a bad thing since you can be sure what 
       backend is loaded and that the config is read from a 
       well-defined location.

  - You'd want to use direct mode rather than gconfd-2:
     + Obviously don't want another process
     + There'd be much more code to audit if you didn't
     + gconf_engine_get_local() isn't in the public API, though

 - The total amount of code to audit given direct mode, single data
   source and using GConfEngine to get a bool is not huge at all

 - I'm not 100% sure whether g_module_open() with a known-safe absolute 
   path is secure from a setuid() program - pretty sure it is looking 
   at glibc's ELF loader code, but that would need to be checked more 
   carefully.

	So, I'm not seeing obviously wrong with using libgconf in direct mode
with a hard-coded data source address. But it would certainly be useful
to get more people to look at it before going ahead with it.

Cheers,
Mark.

Follow-Ups:
- Re: Using gconf in setuid program?
  - From: David Zeuthen

References:
- Using gconf in setuid program?
  - From: David Zeuthen

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]