Re: Using gconf in setuid program?




On Jun 29, 2005, at 8:30 AM, Mark McLoughlin wrote:
But this would break for mandatory settings because the setuid helper
cannot really trust gnome-mount (or anyone else invoking the the
setuid helper). So the setuid helper really needs to check this himself.


Yeah, good point. Forking a process, dropping back to the original uid and exec()ing gconftool-2 to check the key may be the best option as you
say.

Thinking it through, I can't see any obvious problems, but it all makes
me fairly nervous.

Me too. Also, and this is pure speculation on my part, since gconftool-2 is a simple wrapper for libgconf I guess it comes down to whether gconf is secure? E.g. if someone can fool gconftool-2 to ignore mandatory settings you should be able to fool the rest of the desktop too, right?

Btw, some notes in the docs about all this may be helpful, but I don't know the specifics well enough to provide a patch :-)

However, returning to my specific application, the setuid helper will have additional checks, e.g. on systems with pam_console we'll bail out early if the user is not at the console and I suppose OS'es without this can provide similar checks. So I'm not totally nervous.

Cheers,
David




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]