Re: GTK+-1.2.9 Released

From: Paul Davis <pbd Op Net>
To: "J. Ali Harlow" <gtk-list optosun7 city ac uk>
Cc: Owen Taylor <otaylor redhat com>, gtk-list gnome org, slashem-devel lists sourceforge net
Subject: Re: GTK+-1.2.9 Released
Date: Mon, 05 Mar 2001 12:39:42 -0500

  [ setuid/setgid checks ]

>There may be a clear argument, but I have to say that it is unacceptable to me
>for the GTK team to resort to such nannyisms. While it would not be impossible
>for the Slash'EM development team to comply with this (and it would also have
>some fringe benefits) it would take a huge amount of work - we would have to
>change the graphical interfaces to the game into seperate processes and
>implement a protocol for communicating with the game core via pipes. It is
>quite ridiculus for the GTK team to impose their priorities on us in this way.
>
>Please provide a mechanism for applications to defeat this check or I will
>have to resort to subverting the getresuid() & getresgid() functions to lie to
>GTK. Should you block this we will simply have to drop support for GTK from
>Slash'EM (and tell our users why) until we can justify the time required to
>meet with your requirements.

I must admit that I initially felt the same way. But I was already
aware of the deep security implications of a setuid program that
(during GTK startup) is effectively turned into a Turing machine,
capable of executing more or less any code somebody might want it
to. As a result, my programs do not use the architecture that Owen's
link describes (they cannot, because their real-time characteristics
make them even more picky than typical games). Instead, they do all
the resource acquisition they need before initializing GTK+. This
includes locking all current and future memory into physical RAM,
starting a number of threads with POSIX Real Time Scheduling priority,
and so forth. Then I drop setuid, and start GTK+. GTK doesn't (and
won't) complain, and I don't have to worry (too much) about the
security implications of GTK's various RC files and whatnot.

Also, as I mentioned previously, setuid is not, for Linux 2.4.0 and
above, the right way to do any of this; capabilities are. My programs
require the RESOURCE capability, but nothing else (admittedly, the
RESOURCE capability will allow to do just about anything if you're
clever enough, but its not setuid).

--p

Follow-Ups:
- Re: GTK+-1.2.9 Released
  - From: J. Ali Harlow

References:
- Re: GTK+-1.2.9 Released
  - From: J. Ali Harlow

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]