[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ethereal-dev
Subject:    Re: [ethereal-dev] GTK+ programs unsafe to make set-UID?
From:       Nathan Neulinger <nneul () umr ! edu>
Date:       2000-02-28 3:38:25
[Download RAW message or body]

Ethereal has so many other suid issues besides this that it's going to
be a long time before it isn't insance to make it setuid for anyone you
don't trust.

-- Nathan

Guy Harris wrote:
> 
> The subthread on the GNOME site at:
> 
> http://news.gnome.org:80/gnome-news/951499666/951526170/951541686/index_html
> 
> quotes Havoc Pennington (one of the GTK+ developers) as saying:
> 
>         The problem is that you CANNOT link an suid binary to GTK.  NO
>         WAY.  It's a gaping, huge, enormous, unbelievable barn door of a
>         security hole.
> 
> and
> 
>         IT IS TOTALLY UNSAFE TO MAKE ANY GTK PROGRAM SUID. Period.
> 
> If true (and I suspect he's correct), then, given that Ethereal is a
> GTK+ program, making it set-UID to root, no matter how convenient it
> might be, might be a Very Bad Idea unless you can control who gets to
> run it on your machine.

-- 


------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
CIS - Systems Programming                Fax: (573) 341-4216

[prev in list] [next in list] [prev in thread] [next in thread]