Re: Your opinion about adding Gnome Xsu to GNOME-Utils

From: Manuel Amador <amadorm zeus usm edu ec>
To: Philip Van Hoof <freax pandora be>
Cc: gnome-devel-list gnome org
Subject: Re: Your opinion about adding Gnome Xsu to GNOME-Utils
Date: Wed, 21 Nov 2001 11:34:06 -0500 (ECT)

Is there another way to do su, like using PAM in supported platforms?

Quoting Philip Van Hoof <freax pandora be>:

> 
> 
> On 2001.11.19 18:46 Havoc Pennington wrote:
> > 
> > 
> > Philip Van Hoof <freax pandora be> writes:
> > > So, I redirect my question to this list, what do other
> > > people think ? :)
> > 
> > It looks extremely suspect on a quick glance - e.g. it uses execlp()
> > to launch an su subprocess, and the way it launches/talks to the
> > subprocess is by spawning it in an offscreen ZvtTerm and parsing the
> > output expect-style. I don\'t think it would pass a security audit.
> 
> I replaced the execlp() function with an execl() function (the
> configure
> script searches the $PATH for a su command, uses this path and warns 
> about
> this security issue when it\'s finished. I can\'t do more about the
> issue
> for the person who is compiling xsu from source. Maybe a check if the
> current directory is in his PATH, but I find this rather stupid)
> 
> - execlp(\"su\", \"-\", username, \"-c\", buffer, NULL);
> + #define SU_PATH \"/bin/su\" /* by configure script */
> + execl(SU_PATH, \"-\", username, \"-c\", buffer, NULL);
> 
> I am not sure if this completly fixes the issue. (it\'s in the cvs at 
> this moment)
> 
> 
> About the ZvtTerm issues; these will take longer to fix. I will have
> to
> find another way to pass data to the getpass() function of the Unix
> \'su\'
> command, Havoc told me that using the zvt is insecure because
> \"ZvtTerm code may contain a security hole allowing some sort of buffer
> overflow or the like.\"
> 
> If there are other suggestions .. 
> 
> -- 
> Philip van Hoof aka freax (http://www.freax.eu.org)
> irc: irc.openprojects.net mailto:freax @ linux.be
> _______________________________________________
> gnome-devel-list mailing list
> gnome-devel-list gnome org
> http://mail.gnome.org/mailman/listinfo/gnome-devel-list
> 



   Manuel Amador (Rudd-O)
   http://www.usm.edu.ec/~amadorm/

Follow-Ups:
- Re: Your opinion about adding Gnome Xsu to GNOME-Utils
  - From: Havoc Pennington

References:
- Your opinion about adding Gnome Xsu to GNOME-Utils
  - From: Philip Van Hoof
- Re: Your opinion about adding Gnome Xsu to GNOME-Utils
  - From: Havoc Pennington
- Re: Your opinion about adding Gnome Xsu to GNOME-Utils
  - From: Philip Van Hoof

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]