On Mon, 05 Mar 2001 19:44:21 GMT, "J. Ali Harlow" said: > You're right, of course. What about if GTK_ALLOW_INSECURE pointed at a file > which contained the list of insecure apps that were allowed to run and if GTK+ > checked that this file was owned by root. That way only the owner of a computer > system could give permission. Still wrong. We've seen enough apps that manage to screw up the "environment variable pointing to a file" with symlink races and the like. In addition, the average *owner* of a computer system doesn't understand the implications of set-GID programming, and will probably toss the application's name into the file because "somebody said it was needed". Only the author of the application knows if they've applied sufficient other checks to make set-GID operation safe. Therefor, only the application should be allowed to say "it's OK" (via a global variable set by the app before calling a GTK routine). Yes, some programmer will botch it. But if you allow *any* bypassing of the current set-UID/GID check, it really has to be the programmer's call. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Attachment:
pgpRM5OMk7ZTk.pgp
Description: PGP signature