[gtk-web/issue-47] Add back the setuid.html page
- From: Emmanuele Bassi <ebassi src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gtk-web/issue-47] Add back the setuid.html page
- Date: Sun, 19 Apr 2020 20:07:29 +0000 (UTC)
commit 8a1ac07e479b457617ee4c9dd910095aeb046063
Author: Emmanuele Bassi <ebassi gnome org>
Date: Sun Apr 19 21:06:33 2020 +0100
Add back the setuid.html page
The page is referenced by GTK's source code in a user-visible error
message, and we need to maintain the URL.
Fixes: #47
README.md | 1 +
setuid.html | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 64 insertions(+)
---
diff --git a/README.md b/README.md
index c056f0e..f62761a 100644
--- a/README.md
+++ b/README.md
@@ -57,6 +57,7 @@ The data used by the site is stored in the form of following files:
├── package-lock.json
├── package.json #contains node dependencies for the site.
├── README.md
+ ├── setuid.html #referenced by GTK's source code
└── setup.sh #script for setting up the website
## Contributing
diff --git a/setuid.html b/setuid.html
new file mode 100644
index 0000000..dac8d76
--- /dev/null
+++ b/setuid.html
@@ -0,0 +1,63 @@
+{% include header.html %}
+
+{% include navbar.html %}
+
+<div class="container py-4 d-flex align-items-center justify-content-center" style="min-height: 100vh;">
+ <div class="row justify-content-center">
+ <div class="col-12 col-sm-8 d-flex flex-column align-items-center">
+ <h3 class="text-center">Why GTK_MODULES is not a security hole</h3>
+ <div class="w-100 py-3 px-3">
+ <p>GTK supports the environment variable <code>GTK_MODULES</code> which specifies arbitrary
+ dynamic modules to be loaded and executed when GTK is initialized. It is somewhat similar to
+ the <code>LD_PRELOAD</code> environment variable. However, this (and similar functionality
+ such as specifying theme engines) is not disabled when running <code>setuid</code> or
+ <code>setgid</code>. Is this a security hole? No. Writing <code>setuid</code> and
+ <code>setgid</code> programs using GTK is bad idea and will never be supported by the GTK
+ team.</p>
+
+ <p>You should not write <code>setuid</code> GTK programs because:</p>
+
+ <p>GTK is too big. GTK+-2.0 and its dependent libraries (ignoring Xlib) total over 600,000
+ lines of code. For GTK+-3.0 (ignoring backend specific and image loading libraries), this
+ figure is over 800000 lines of code.</p>
+
+ <p>GTK is too complex. GTK takes input from dozens of sources, from drag-and-drop, to
+ root-window properties, to keyboard input, to configuration files. This is a much broader
+ scope for compromises than a typical server and makes auditing GTK especially tricky.</p>
+
+ <p>Security of GTK requires the security of the underlying windowing system backend. The
+ GTK team is not prepared to make that guarantee. Security bugs have been found in the
+ recent past in such areas of Xlib as the input method code.</p>
+
+ <p>You should not make your GUI setuid at all. Why run the risk of security bugs in code
+ that does not need to be running with elevated privileges?</p>
+
+ <p>In the opinion of the GTK team, the only correct way to write a <code>setuid</code>
+ program with a graphical user interface is to have a <code>setuid</code> backend that
+ communicates with the non-<code>setuid</code> graphical user interface via a mechanism
+ such as a pipe and that considers the input it receives to be untrusted.</p>
+
+ <p>For this reason, no effort is made in GTK to disable the obvious ways that you could
+ compromise a setuid GTK program - <code>GTK_MODULES</code> and the ability for the user
+ to specify theme engines, because we consider this to be only papering over the fundamental
+ problems of writing <code>setuid</code> programs with any GUI toolkit. GTK may be modified
+ in the future to simply refuse to run with elevated privileges, though it does not do this
+ currently.</p>
+
+ <p>Does this mean that there are no security considerations for GTK? No. In particular
+ image loaders have been and will continue to be an area of special care, since users may
+ load images from untrusted sources. And in addition to the possibility of this variety of
+ exploit, most potential security holes are essentially bugs and even as mere bugs, must
+ be squashed. To help accomplish this goal, GTK extensively uses high-level data structure
+ abstractions which minimize the risk of most traditional buffer overflows.</p>
+
+ <p>However, the secure <code>setuid</code> program is a 500 line program that does only
+ what it needs to, rather than a 800,000 line library whose essential task is user
+ interfaces.</code>
+ </div>
+ </div>
+ </div>
+</div>
+
+{% include scripts.html %}
+{% include footer.html %}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]