Bugtraq mailing list archives
Re: gtk+ security hole.
From: Robert van der Meulen <rvdm () CISTRON NL>
Date: Wed, 3 Jan 2001 17:46:23 +0100
Hi, Quoting Kain (kain () CHAOSIUM NET):
On Tue, Jan 02, 2001 at 04:13:58PM -0500, Rob Mosher wrote:A simple fix to this would be to drop priveleges before calling gtk_init(), another easy fix is to modify gtk itself, to do this you need to make the following modification of gtkmain.c. In gtk-1.2.8 its at approximately line 215, you have:IMO, the best way to fix this would be to have libglib/gtk see if euid==0 and just ignore those variables on init, and quite possibly go so far as to ignore "engine" lines in .gtkrcs or maybe filter them....
In the official reply of the gtk+ team, several, very valid, reasons are given to _never_ have a suid/setgid gtk program. If a gtk program is suid, the suidness is a security hole on itself. I do not think gtk should be patched to behave differently when it's running suid/setgid, as this will only encourage people to make suid/setgid gtk programs, and we don't want that ;) If there's bugs in the gtk libs they should (ofcourse) be patched, but specific 'features' for evading problems occurring when running setuid/setgid should IMHO not be implemented. Just my $.02, Robert -- Linux Generation Life is a sexually transmitted disease with 100% mortality.
Attachment:
_bin
Description:
Current thread:
- gtk+ security hole. Chris Sharp (Jan 02)
- Re: gtk+ security hole. Rob Mosher (Jan 02)
- Re: gtk+ security hole. Rob Mosher (Jan 03)
- Re: gtk+ security hole. Rob Mosher (Jan 03)
- Re: gtk+ security hole. Kain (Jan 03)
- Re: gtk+ security hole. Robert van der Meulen (Jan 03)
- Re: gtk+ security hole. Wichert Akkerman (Jan 04)
- Re: gtk+ security hole. Rob Mosher (Jan 03)
- Re: gtk+ security hole. Rob Mosher (Jan 02)
- <Possible follow-ups>
- Re: gtk+ security hole. Bryan Porter (Jan 04)
- Re: gtk+ security hole. Crist Clark (Jan 05)
- Re: gtk+ security hole. Joe (Jan 05)
- Re: gtk+ security hole. Crispin Cowan (Jan 05)
- Re: gtk+ security hole. Bryan Porter (Jan 05)