Re: Will the changes in the 1.4 series `contaminate' Glib?

From: Owen Taylor <otaylor redhat com>
To: gtk-devel-list gnome org
Subject: Re: Will the changes in the 1.4 series `contaminate' Glib?
Date: 22 Jan 2001 10:10:53 -0500

Tim Janik <timj gtk org> writes:

> On Thu, 11 Jan 2001, ERDI Gergo wrote:
> 
> > Hi,
> > 
> > with all the recent discussions about GTK+ being too complicated for a
> > security audit, and several GTK+ features propagating to Glib for the 1.4
> > release (e.g. the Object and the Signal systems), will it also mean that
> > Glib 1.4 will be marked `not appropriate' for set[ug]id applications?
> 
> good question. first, the signal and object stuff is currently in an extra
> library of glib and won't effect suid programs that use plain glib without
> those features. however, suid programs that would want to make use of these
> features, as well as glibs main loop, are probably not unthinkable.
> for that, note that glib HEAD has _not_ been security audited, so we're
> not making guarrantees there whatsoever, and certain glib features just
> couldn't be used from suid programs, such as gmodule or dynamic types,
> gspawn etc. it might be appropriate to insert actuall checks for suid
> environments into those portions.

I'll basically agree here that -lglib should be as safe before, once 
checked over. I'll just add two notes:

 - Actually, g_spawn_*() are meant to be a _good_ functions to use from
   security-concious programs. Because they don't invoke a shell,
   they should be less prone to typical security holes than popen()
   or system("").

   Of course, you have to be careful what you run; if what you do
   with them is g_spawn_command_line_sync ("/bin/sh"... ) then
   there is nothing much GLib can do.

 - There is no particular reason why gobject/gsignal should be 
   unsuitable for use in a suid program. EXCEPT that if your
   suid program is so complex that it needs objects and signals,
   it is almost certainly too complex.

But certainly, the features of GTK+ that make it inherently unsuitable
for SUID programs - accepting input from the user / talking to the X
server / GTK_MODULES / theme engines.... have not been moved into
GLib.

Regards,
                                        Owen

References:
- Re: Will the changes in the 1.4 series `contaminate' Glib?
  - From: Tim Janik

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]