Re: Bounce a few ideas off

robert havoc pennington <> writes:

> On Wed, 22 Apr 1998, Michael K. Johnson wrote:
> > 
> > I'd like to suggest that instead of "porting" those apps to gtk, folks
> > consider writing gui wrappers for them.  Particularily setuid ones,
> > as gtk has NOT been gone through for the kinds of bugs that could
> > easily create security holes in setuid programs...
> > 
> For an example of one wrapper and one "port," look at gshutdown and gsu
> in gnome-utils/mini-utils.
> The problem is that the setuid binaries are precisely the ones that have
> to be "ported." I can't figure out any way to wrap them, and these are
> precisely the utilities upstream authors won't want to change. No one
> wants to mess with su when su is well-proven.  Plus there's no way to pass
> passwords around on the command line, so I can't think of how the
> wrap-friendliness would be implemented. :(

If changing the upstream source isn't an option, then provide
a modified version of the utility that is wrap friendly. But don't
integrate the GUI into the setuid app. 

For su, why not write a version that allows the plaintext password
to be provided via stdin. (_not_ by the command line! ps auxw...)

I have to agree that setuid GNOME/GTK applications are not a good
idea. Just a few of the places where a user can provide input:
 The XPM files loaded by the gtkrc
 The graphics loaders of gdk_imlib
 Text widgets / entries
 The X selection mechanism

Some of these can be disabled. Perhaps the others are all safe from
buffer overruns, but I wouldn't count on it. GTK+ is 100,000 lines of
code, gnome-libs another 40,000 (+60,000 in XmHTML) If one can avoid
linking that code into a setuid app, one should.
> One comforting thought is that you can't use these GUI utils from a telnet
> session, so the security hole depends on the ability to run an X session
> on the machine. Slightly safer. (well, you can gsu --command from telnet,
> but that should be almost the same as regular su except for Gnome init
> stuff. I guess it could be made exactly the same as regular su by
> postponing the Gnome init until after options parsing - would this help?) 

Not at all. The security would only be there if you can't run
run X applications on the machine and display them elsewhere.
If you can run a telnet session, you probably can run X apps.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]