Re: Getting root privilege

From: JParker coinstar com
To: Havoc Pennington <hp redhat com>
Cc: gtk-app-devel-list gnome org, gtk-app-devel-list-admin gnome org, Jonathan Irwin <jmi25 cam ac uk>
Subject: Re: Getting root privilege
Date: Thu, 15 Feb 2001 15:24:38 -0800

G'Day !

I agree 100% with both Jonathan and Havoc ...

However the original posting just asked how to do it, so I provided an article
that described how and at the same time tired to avoid a flame war, by using a
security article.  It is the programmer's responsibility to keep his code
secure.

Who knows, he may be programming for a stand-alone machine with minimal security
requirements.

cheers,
Jim Parker

Sailboat racing is not a matter of life and death ....  It is far more important
than that !!!


                                                                                                              
                                 
                    Havoc Pennington                                                                          
                                 
                    <hp redhat com>                 To:     Jonathan Irwin <jmi25 cam ac uk>                  
                                 
                    Sent by:                        cc:     <gtk-app-devel-list gnome org>                    
                                 
                    gtk-app-devel-list-admin        Subject:     Re: Getting root privilege                   
                                 
                    @gnome.org                                                                                
                                 
                                                                                                              
                                 
                                                                                                              
                                 
                    02/15/01 02:47 PM                                                                         
                                 
                                                                                                              
                                 
                                                                                                              
                                 




Jonathan Irwin <jmi25 cam ac uk> writes:

On Wed, 14 Feb 2001 JParker coinstar com wrote:

G'Day !

Good article that gives you a general idea of how to change user
priviledges.  It's a securrity article, so oit explains potenial exploits
also  :-)

http://www.linuxfocus.org/English/January2001/article182.shtml

<...>

I have only briefly skimmed the article, but in general having GTK
applications setuid to root is something which should be avoided if at all
possible (the GTK library was not designed for this purpose, so there
could be all sorts of security holes in there).

In most cases it should be possible to avoid having a GTK application
setuid to root.  If you need access to specific /dev entries, then you can
make the app setgid instead, which removes some of the risk involved.
Otherwise, it might be worth considering using a helper which runs setuid
root and does not call GTK, passing control information over a Unix
socket or a pipe to the GTK app instead (and being very careful with it's
input).


You are 100% right, see http://www.gtk.org/setuid.html. GTK 1.2.9 will
actually check whether the app is setuid, and gtk_init() will abort if
so. So the helper app is _required_.

Havoc


_______________________________________________
gtk-app-devel-list mailing list
gtk-app-devel-list gnome org
http://mail.gnome.org/mailman/listinfo/gtk-app-devel-list

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]