Re: Bounce a few ideas off

From: Owen Taylor <otaylor gtk org>
To: robert havoc pennington <rhpennin midway uchicago edu>
Cc: gnome-list gnome org
Subject: Re: Bounce a few ideas off
Date: 22 Apr 1998 12:40:04 -0400

robert havoc pennington <rhpennin@midway.uchicago.edu> writes:

> On Wed, 22 Apr 1998, Michael K. Johnson wrote:
> > 
> > I'd like to suggest that instead of "porting" those apps to gtk, folks
> > consider writing gui wrappers for them.  Particularily setuid ones,
> > as gtk has NOT been gone through for the kinds of bugs that could
> > easily create security holes in setuid programs...
> > 
> 
> For an example of one wrapper and one "port," look at gshutdown and gsu
> in gnome-utils/mini-utils.
> 
> The problem is that the setuid binaries are precisely the ones that have
> to be "ported." I can't figure out any way to wrap them, and these are
> precisely the utilities upstream authors won't want to change. No one
> wants to mess with su when su is well-proven.  Plus there's no way to pass
> passwords around on the command line, so I can't think of how the
> wrap-friendliness would be implemented. :(

If changing the upstream source isn't an option, then provide
a modified version of the utility that is wrap friendly. But don't
integrate the GUI into the setuid app. 

For su, why not write a version that allows the plaintext password
to be provided via stdin. (_not_ by the command line! ps auxw...)

I have to agree that setuid GNOME/GTK applications are not a good
idea. Just a few of the places where a user can provide input:

 gnome-config
 gtkrc
 The XPM files loaded by the gtkrc
 The graphics loaders of gdk_imlib
 Text widgets / entries
 The X selection mechanism
 DND

Some of these can be disabled. Perhaps the others are all safe from
buffer overruns, but I wouldn't count on it. GTK+ is 100,000 lines of
code, gnome-libs another 40,000 (+60,000 in XmHTML) If one can avoid
linking that code into a setuid app, one should.

> One comforting thought is that you can't use these GUI utils from a telnet
> session, so the security hole depends on the ability to run an X session
> on the machine. Slightly safer. (well, you can gsu --command from telnet,
> but that should be almost the same as regular su except for Gnome init
> stuff. I guess it could be made exactly the same as regular su by
> postponing the Gnome init until after options parsing - would this help?) 

Not at all. The security would only be there if you can't run
run X applications on the machine and display them elsewhere.
If you can run a telnet session, you probably can run X apps.

Regards,
                                        Owen

Follow-Ups:
- Re: Bounce a few ideas off
  - From: robert havoc pennington

References:
- Re: Bounce a few ideas off
  - From: robert havoc pennington

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]