Re: Security in GNOME

["Michael K. Johnson" <johnsonm redhat com>]

Cody Russell writes:
>gnome-utils contains a program called gsu, which at the moment doesn't
>compile correctly and hasn't been audited for security. Once it has been
>security audited, then it would be safe to use in applications that would
>need root access, correct?

Unfortunately, incorrect.  All the libraries on which it depends and which
manipulate user-supplied or user-manipulable input must also be audited.
Since auditing gtk/gdk/glib/theme-engines after every single source code
change is a huge job that no one has undertaken, making gsu secure is a
significantly harder task.

Another idea: I could try to export usermode's capabilities via a
library and gsu could require this library interface.  Distributions
without PAM could export the same interface.  As long as you have the
interface, gsu works.  I'll think about that.

The way I see it, consolehelper is more flexible because it will be
able to ask for either the user's or root's password (right now it
only asks for the user's password; that's the new feature I need to
add that I mentioned yesterday) and because it can be configured
via PAM not to ask for a password at all for utilities where that is
appropriate (for example, you might want to do that to make the kbdrate
program runnable by normal users).

On the other hand, gsu is more flexible because while it requires
the root password to get access to a program running as root, you
don't have to set up the system ahead of time as you do with
consolehelper.

It's a typical tradeoff.

Again, see http://www.redhat.com/knowledgebase/newpam/ for more
information; if you have Red Hat Linux 6.0, man consolehelper
for more information as well.

michaelkjohnson

"Magazines all too frequently lead to books and should be regarded by the
 prudent as the heavy petting of literature."            -- Fran Lebowitz
 Linux Application Development     http://people.redhat.com/johnsonm/lad/