Re: [gtk-list] Re: gtkrc



On Fri, 16 Apr 1999, Paul Barton-Davis wrote:

> In message <Pine.BSF.4.02A.9904151829530.25828-100000@zirx.pair.com>you write:
> >
> >On Thu, 15 Apr 1999, Erik Mouw wrote:
> >> > 
> >> > Is that strictly true? What if the GTK app is suid root?
> >> 
> >> Is GTK safe enough to be used in suid root programs?
> >> 
> >
> >No. Doing so would be a terrible idea (even if every effort had been made
> >to make Gtk safe enough - it's a huge amount of code that has no reason to
> >be suid). 
> 
> What about a program that wants to use POSIX RT scheduling ?
> 
> The stuff I'm working on is just such a beast. Its multithreaded, and
> relinquishes all priviledge once its got RT scheduling established,
> right now, gtk_init() is being called very early when its still euid = 0.
> 
> Should I change this ?

yes definitely, especially since gtk+ allowes loading of additional modules.
so in theory users could use your program as a trampoline to execute
any code with the userid that your program has when you call gtk_init().
(we've had some discussions on this topic in the pat, and the general
consensus was that if you need suid priviledges, you better don't use
any gtk/gdk at all).

> 
> --p
> 

---
ciaoTJ



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]