mailing list archives
Re: gtk+ security hole.
From: Bryan Porter <bporter () GTW NET>
Date: Thu, 4 Jan 2001 18:15:48 -0600
I'm gathering from the feedback I've gotten that I may have been
overly-harsh. I especially feel rather silly knowing that everyone else in
the known universe doesn't make GUI apps suid. Well, experience is a great
teacher, and let's just say I've learned a lot. Thanks for the input guys,
and apologies to the GTK+ team - it seems I was wrong after all.
From: Dan Stromberg [mailto:strombrg () nis acs uci edu]
Sent: Thursday, January 04, 2001 5:19 PM
To: Bryan Porter
Subject: Re: gtk+ security hole.
How surprising to see a Qt rant in there. :-S
Actually, I wouldn't recommend running Qt setuid either. GUI programs
shouldn't be setuid. Look at all the trouble we've had with xterm.
It should have had a setuid helper program from the beginning.
On Wed, Jan 03, 2001 at 03:30:10PM -0600, Bryan Porter wrote:
I'm sorry, but this seems a bit much for me. My car has tires, and because
the tires are kind of bad and over-engineered, I should'nt drive over
because they might explode? What? Fix the tires. Same thing here.
"Don't make GTK+ program suid/setgid because it's based on another project
with multiple potential vulnerabilites." Absolutely ridiculous. "Our tires
suck because we bought cheap rubber." What?
Bottom line, if GTK+ is broken, fix it. And if it can't safely run suid,
then it is horribly broken. It's a graphic library for christs sake. And,
it so full of spaghetti code that it can't easily be fixed, then trash it.
But the excuses given are ridiculous, period. No professional project
ever stand for this level of ineptitude. Qt works fine suid. And it's
Dan Stromberg UCI/NACS/DCS
- Re: gtk+ security hole., (continued)
- Re: gtk+ security hole. Bryan Porter (Jan 04)
- Re: gtk+ security hole. Bryan Porter (Jan 05)