Re: GTK+-1.2.9 Released

From: "J. Ali Harlow" <ali avrc city ac uk>
To: Paul Davis <pbd op net>
Cc: gtk-list gnome org, slashem-devel lists sourceforge net
Subject: Re: GTK+-1.2.9 Released
Date: Mon, 5 Mar 2001 17:47:24 +0000

On Mon, 05 Mar 2001, Paul Davis wrote:
> [ snip my rant re. setuid/setgid checks ]
> 
> I must admit that I initially felt the same way. But I was already
> aware of the deep security implications of a setuid program that
> (during GTK startup) is effectively turned into a Turing machine,
> capable of executing more or less any code somebody might want it
> to. As a result, my programs do not use the architecture that Owen's
> link describes (they cannot, because their real-time characteristics
> make them even more picky than typical games). Instead, they do all
> the resource acquisition they need before initializing GTK+. This
> includes locking all current and future memory into physical RAM,
> starting a number of threads with POSIX Real Time Scheduling priority,
> and so forth. Then I drop setuid, and start GTK+. GTK doesn't (and
> won't) complain, and I don't have to worry (too much) about the
> security implications of GTK's various RC files and whatnot.
> 
> Also, as I mentioned previously, setuid is not, for Linux 2.4.0 and
> above, the right way to do any of this; capabilities are. My programs
> require the RESOURCE capability, but nothing else (admittedly, the
> RESOURCE capability will allow to do just about anything if you're
> clever enough, but its not setuid).

Thanks for the suggestions, Paul. Our problem is that the graphical interface
to Slash'EM is just one part of a much larger program.

Slash'EM can't drop privileges before calling GTK+ because it will need to
update score files, write out saved levels, and other associated files. This
could all be done in a helper program, but that would require major re-writing
of the game core and I wouldn't be prepared to even consider that without the
agreement from the NetHack dev-team (of which Slash'EM is just a variant).
I think breaking the graphical interface off into a seperate process would be
a better solution than this.

As far as capabilities goes, you have to understand that NetHack and Slash'EM
are some of the most portable programs ever written. Slash'EM has binaries for
Atari, Mac, DOS, MS-Windows, RedHat & Debian and source support for a lot more.
We're not going to throw that away.

Btw, you do realise that if you're application is setuid root, then there
already exists a mechanism to defeat the check :-) There's nothing to stop you
simply setting real, effective & saved UIDs to root. Since Slash'EM is normally
installed setgid games, that is not an option available to us.

-- 
Ali Harlow                              Email: ali avrc city ac uk
Research programmer                     Tel:   (020) 7477 8000 X 4348
Applied Vision Research Centre          Intl: +44 20 7477 8000 X 4348
City University                         Fax:   (020) 7505 5515
London                                  Intl: +44 20 7505 5515

Follow-Ups:
- Re: GTK+-1.2.9 Released
  - From: Valdis . Kletnieks

References:
- Re: GTK+-1.2.9 Released
  - From: Paul Davis

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]