Bugtraq mailing list archives
Re: gtk+ security hole.
From: Crispin Cowan <crispin () WIREX COM>
Date: Thu, 4 Jan 2001 12:29:36 -0800
Bryan Porter wrote:
I'm sorry, but this seems a bit much for me. My car has tires, and because the tires are kind of bad and over-engineered, I should'nt drive over 10MPH because they might explode? What? Fix the tires. Same thing here. "Don't make GTK+ program suid/setgid because it's based on another project with multiple potential vulnerabilites." Absolutely ridiculous. "Our tires suck because we bought cheap rubber." What?
That's the silliest thing I've read today. SUID programs (or in fact any highly trusted entity) absolutely should be small. Small size is a classic element of good design of a Trusted Computing Base. You cannot effectively security-audit a large code base, so you identify the smallest possible elements that need strong authority, and exlcude the rest from the high-trust mode.
Bottom line, if GTK+ is broken, fix it. And if it can't safely run suid, then it is horribly broken. It's a graphic library for christs sake. And, if it so full of spaghetti code that it can't easily be fixed, then trash it. But the excuses given are ridiculous, period. No professional project would ever stand for this level of ineptitude. Qt works fine suid. And it's quite cross-platform.
The "Don't use setuid with X" that Wichert Akkerman posted is excellent advice. This also applies to Qt: I do not for one second believe that Qt or KDE is secure. Further, this issue is the fundamental basis for some of the security and stability problems found in Windows NT. Windows incorporates a large graphics subsystem into the kernel, forcing it to be part of the trusted computing base. Problem: when bugs in that code break stuff, the whole kernel goes south and you get a BSOD. KISS (Keep It Simple, Stupid) is the soul of secure design. More importantly, the architecture should allow the implementor to build small & simple trusted programs, without having to link in huge tracts of code. Harkening back to your tire analogy: tires (and breaks and stearing) are all part of the car's safety systems, and thus are heavily over-engineered. But don't make the safety of the car depend on flakey, unnecessary components like the radio and the power windows, or you substantially increase the risk of failure. Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
Current thread:
- gtk+ security hole. Chris Sharp (Jan 02)
- Re: gtk+ security hole. Rob Mosher (Jan 02)
- Re: gtk+ security hole. Rob Mosher (Jan 03)
- Re: gtk+ security hole. Rob Mosher (Jan 03)
- Re: gtk+ security hole. Kain (Jan 03)
- Re: gtk+ security hole. Robert van der Meulen (Jan 03)
- Re: gtk+ security hole. Wichert Akkerman (Jan 04)
- Re: gtk+ security hole. Rob Mosher (Jan 03)
- Re: gtk+ security hole. Rob Mosher (Jan 02)
- <Possible follow-ups>
- Re: gtk+ security hole. Bryan Porter (Jan 04)
- Re: gtk+ security hole. Crist Clark (Jan 05)
- Re: gtk+ security hole. Joe (Jan 05)
- Re: gtk+ security hole. Crispin Cowan (Jan 05)
- Re: gtk+ security hole. Bryan Porter (Jan 05)