Re: GTK+-1.2.9 Released

From: Nils Philippsen <nils redhat de>
To: <Valdis Kletnieks vt edu>
Cc: <gtk-list gnome org>, <slashem-devel lists sourceforge net>
Subject: Re: GTK+-1.2.9 Released
Date: Tue, 6 Mar 2001 15:46:40 +0100 (CET)

On Mon, 5 Mar 2001 Valdis Kletnieks vt edu wrote:

> On Mon, 05 Mar 2001 15:14:20 EST, Havoc Pennington said:
> > Perhaps the best solution is a combination, GTK_ALLOW_INSECURE enables
> > makes the gtk_disable_security_check() function do something, by
> > default gtk_disable_security_check() would be a no-op. So then you
> > need both the app author and the user to agree to make the app
> > insecure.
>
> That's a bit better.  I'm still leery of using an env variable to say
> "please do it", simply because a hacker about to use an exploit WILL
> say "please".
>
> Better would be:
>
> a) the app sets a global variable saying "It's OK'.
> b) The GTK lib then does something like:
>
>    if (app_set_insecure_ok) {
>       /* check / isn't world/group writable */
>        /* check /etc isn't world/group writable */
>        /* check /etc/gtk_perms is not group/world writable */
>
>        /* open /etc/gtk_perms and see if our app name is in there */
>        /* if so, do it *.
>    }
>
> Yes, the checks on /etc and / are needed, to prevent rename races.
>
> Checking in /etc/gtk_perms for argv[0] isn't safe, an attacker could
> play execve() games.  Probably better would be to store a triple in
> the file of (argv[0], filesystem, inode) as returned by stat(), and
> compare those to the results of stat'ing the currently running binary
> (which can be tricky to identify).  Also, that has an annoying tendency
> to break if you apply updates and/or dump/restore the filesystem when
> the inode number changes.

An [albeit Linux only] solution would be to check /proc/$pid/exe which is
a symlink pointing to the real inode where the executable lies. So you
could simply readlink /proc/$pid/exe and compare that to /path/to/program
in said file and would be on the safe side.

Nils
-- 
         Nils Philippsen / +49.711.96437.250 / nils redhat de
       Red Hat GmbH / Hauptstätter Straße 58 / D70178 Stuttgart
The use of COBOL cripples the mind; its teaching should, therefore, be
regarded as a criminal offence.                  -- Edsger W. Dijkstra

References:
- Re: GTK+-1.2.9 Released
  - From: Valdis . Kletnieks

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]