[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    kdelibs & setuid root programs
From:       Harri Porten <porten () tu-harburg ! de>
Date:       1998-10-31 17:40:55
[Download RAW message or body]

Hi !

There are three "issues" I want to address that turn up when using
setuid root programs with the KDE libraries:

1.) KApplication::init()  uses mkdir() to create ~/.kde/share/config
_without_ making them belong to the real user and group id. (This topic
has been brought up a few months ago but hasn't been solved yet.)

2.) KConfig::writeConfigFile()  newly created config files will belong
to root, i.e. the user won't be able to edit/delete his private config
files.

3.) $HOME: the member functions cited above both rely on $HOME to
determine ~/.kde. Of course, it's the author's duty to prevent any
damage caused by manipulated environment variables, but I strongly
suggest that these functions should at least check whether they're
trying to write to a directory owned by the user or someone else.

Thanks,

Harri.

[prev in list] [next in list] [prev in thread] [next in thread]