[prev in list] [next in list] [prev in thread] [next in thread]
List: ethereal-dev
Subject: Re: [ethereal-dev] GTK+ programs unsafe to make set-UID?
From: Nathan Neulinger <nneul () umr ! edu>
Date: 2000-02-28 3:38:25
[Download RAW message or body]
Ethereal has so many other suid issues besides this that it's going to
be a long time before it isn't insance to make it setuid for anyone you
don't trust.
-- Nathan
Guy Harris wrote:
>
> The subthread on the GNOME site at:
>
> http://news.gnome.org:80/gnome-news/951499666/951526170/951541686/index_html
>
> quotes Havoc Pennington (one of the GTK+ developers) as saying:
>
> The problem is that you CANNOT link an suid binary to GTK. NO
> WAY. It's a gaping, huge, enormous, unbelievable barn door of a
> security hole.
>
> and
>
> IT IS TOTALLY UNSAFE TO MAKE ANY GTK PROGRAM SUID. Period.
>
> If true (and I suspect he's correct), then, given that Ethereal is a
> GTK+ program, making it set-UID to root, no matter how convenient it
> might be, might be a Very Bad Idea unless you can control who gets to
> run it on your machine.
--
------------------------------------------------------------
Nathan Neulinger EMail: nneul@umr.edu
University of Missouri - Rolla Phone: (573) 341-4841
CIS - Systems Programming Fax: (573) 341-4216
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic