Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Claimed vulnerability in GTK_MODULES
From: Kris Kennaway <kris () FREEBSD ORG>
Date: Thu, 4 Jan 2001 04:03:55 -0800

On Wed, Jan 03, 2001 at 09:32:29AM -0800, Kris Kennaway wrote:
On Wed, Jan 03, 2001 at 10:40:33AM -0500, Owen Taylor wrote:
What follows is the official GTK+ team position on this matter.  (It
can be found at http://www.gtk.org/setuid.html as well.)  The summary
is that we don't consider it a problem because writing set[ug]id
programs with a GUI toolkit is simply a bad idea and not supported for
GTK+.

Why not force the issue and abort in GTK startup if issetugid() (for
those platforms which have it)?

Actually, aborting on issetugid() ("Are you now, or have you ever
been, a privileged exeutable?") probably won't work acceptibly for
programs which revoke all privileged resources before calling GTK. Of
course, if GTK does not abort, and a program drops only some
privileges (e.g. only setuid()'ing from root) this still allows
hijacking of any privileged resources the application still retains,
such as network sockets and open file descriptors.

Perhaps the best thing would be to force a global variable to be set
in privileged GTK apps to allow them to run (bypassing the issetugid()
abort), so that developers have fair warning of insecurity, but the
ability to override it if they truly believe themselves to be safe
(e.g. the GNOME games case or programs which revoke privilege and all
privileged resources)

Kris

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]