Re: Will the changes in the 1.4 series `contaminate' Glib?

On Thu, 11 Jan 2001, ERDI Gergo wrote:

> Hi,
> with all the recent discussions about GTK+ being too complicated for a
> security audit, and several GTK+ features propagating to Glib for the 1.4
> release (e.g. the Object and the Signal systems), will it also mean that
> Glib 1.4 will be marked `not appropriate' for set[ug]id applications?

good question. first, the signal and object stuff is currently in an extra
library of glib and won't effect suid programs that use plain glib without
those features. however, suid programs that would want to make use of these
features, as well as glibs main loop, are probably not unthinkable.
for that, note that glib HEAD has _not_ been security audited, so we're
not making guarrantees there whatsoever, and certain glib features just
couldn't be used from suid programs, such as gmodule or dynamic types,
gspawn etc. it might be appropriate to insert actuall checks for suid
environments into those portions.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]