Re: GTK+-1.2.9 Released

From: "J. Ali Harlow" <gtk-list avrc city ac uk>
To: Valdis Kletnieks vt edu
Cc: gtk-list gnome org, slashem-devel lists sourceforge net
Subject: Re: GTK+-1.2.9 Released
Date: Mon, 5 Mar 2001 19:44:21 +0000

On Mon, 05 Mar 2001, Valdis Kletnieks vt edu wrote:
> 
> On Mon, 05 Mar 2001 14:10:29 EST, Havoc Pennington said:
> > Right. Adding something like a GTK_ALLOW_INSECURE environment variable
> > doesn't seem like a terrible idea, though it's too late to do so for
> > 1.2.9.
> 
> Wrong.
> 
> A hacker can just say 'export GTK_ALLOW_INSECURE' and then run his exploit.
> 
> A better solution would be to have a global variable inside the GTK libs
> that the application itself could set if it was willing to take the risks.

You're right, of course. What about if GTK_ALLOW_INSECURE pointed at a file
which contained the list of insecure apps that were allowed to run and if GTK+
checked that this file was owned by root. That way only the owner of a computer
system could give permission.

-- 
Ali Harlow                              Email: ali avrc city ac uk
Research programmer                     Tel:   (020) 7477 8000 X 4348
Applied Vision Research Centre          Intl: +44 20 7477 8000 X 4348
City University                         Fax:   (020) 7505 5515
London                                  Intl: +44 20 7505 5515

Follow-Ups:
- Re: GTK+-1.2.9 Released
  - From: Valdis . Kletnieks

References:
- GTK+-1.2.9 Released
  - From: Owen Taylor
- Re: GTK+-1.2.9 Released
  - From: Havoc Pennington
- Re: GTK+-1.2.9 Released
  - From: Valdis . Kletnieks

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]