5911473 2001-01-03 10:40 -0500 /77 rader/ Owen Taylor <otaylor@REDHAT.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-03 18:17 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: otaylor@REDHAT.COM
Mottagare: Bugtraq (import) <14589>
Ärende: Claimed vulnerability in GTK_MODULES
------------------------------------------------------------
From: Owen Taylor <otaylor@REDHAT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <ybezoh8ej9q.fsf@fresnel.labs.redhat.com>
What follows is the official GTK+ team position on this matter. (It
can be found at http://www.gtk.org/setuid.html as well.) The summary
is that we don't consider it a problem because writing set[ug]id
programs with a GUI toolkit is simply a bad idea and not supported for
GTK+.
We are aware of no commonly distributed GTK+ programs that run
set[ug]id and would consider any such to be security holes. (Note that
GNOME games drop setgid games privileges before initializing GTK+.)
Regards,
Owen Taylor
====
Why GTK_MODULES is not a security hole
GTK+ supports the environment variable GTK_MODULES which specifies
arbitrary dynamic modules to be loaded and executed when GTK+ is
initialized. It is somewhat similar to the LD_PRELOAD environment
variable. However, this (and similar functionality such as
specifying theme engines) is not disabled when running setuid or
setgid. Is this a security hole? No. Writing setuid and setgid
programs using GTK+ is bad idea and will never be supported by the
GTK+ team.
You should not write setuid GTK+ programs because:
* GTK+ is too big. GTK+-1.2 and its dependent libraries (ignoring
Xlib) total over 200,000 lines of code. For GTK+-2.0 (ignoring
Xlib and image loading libraries), this figure will be around
500,000 lines of code.
* GTK+ is too complex. GTK+ takes input from dozens of sources, from
drag-and-drop, to root-window properties, to keyboard input, to
configuration files. This is a much broader scope for compromises
than a typical server and makes auditing GTK+ especially tricky.
* Security of GTK+ requires the security of Xlib. The GTK+ team is
not prepared to make that guarantee. Security bugs have been found
in the recent past in such areas of Xlib as the input method code.
* You should not make your GUI setuid at all. Why run the risk of
security bugs in code that does not need to be running with
elevated privileges?
In the opinion of the GTK+ team, the only correct way to write a
setuid program with a graphical user interface is to have a setuid
backend that communicates with the non-setuid graphical user
interface via a mechanism such as a pipe and that considers the
input it receives to be untrusted.
For this reason, no effort is made in GTK+ to disable the obvious
ways that you could compromise a setuid GTK+ program - GTK_MODULES
and the ability for the user to specify theme engines, because we
consider this to be only papering over the fundamental problems of
writing setuid programs with any GUI toolkit. GTK+ may be modified
in the future to simply refuse to run with elevated privileges,
though it does not do this currently.
Does this mean that there are no security considerations for GTK+?
No. In particular image loaders have been and will continue to be
an area of special care, since users may load images from
untrusted sources. And in addition to the possibility of this
variety of exploit, most potential security holes are essentially
bugs and even as mere bugs, must be squashed. To help accomplish
this goal, GTK+ extensively uses high-level data structure
abstractions which minimize the risk of most traditional buffer
overflows.
However, the secure setuid program is a 500 line program that does
only what it needs to, rather than a 500,000 line library whose
essential task is user interfaces.
By Owen Taylor <otaylor@redhat.com>
2 January 2000
(5911473) --------------------------------(Ombruten)
5912255 2001-01-03 09:32 -0800 /13 rader/ Kris Kennaway <kris@FREEBSD.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-03 23:23 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: kris@FREEBSD.ORG
Mottagare: Bugtraq (import) <14596>
Kommentar till text 5911473 av Owen Taylor <otaylor@REDHAT.COM>
Ärende: Re: Claimed vulnerability in GTK_MODULES
------------------------------------------------------------
On Wed, Jan 03, 2001 at 10:40:33AM -0500, Owen Taylor wrote:
> What follows is the official GTK+ team position on this matter. (It
> can be found at http://www.gtk.org/setuid.html as well.) The summary
> is that we don't consider it a problem because writing set[ug]id
> programs with a GUI toolkit is simply a bad idea and not supported for
> GTK+.
Why not force the issue and abort in GTK startup if issetugid() (for
those platforms which have it)?
Kris
(5912255) ------------------------------------------
Bilaga (application/pgp-signature) i text 5912256
5912256 2001-01-03 09:32 -0800 /10 rader/ Kris Kennaway <kris@FREEBSD.ORG>
Importerad: 2001-01-03 23:23 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: kris@FREEBSD.ORG
Mottagare: Bugtraq (import) <14597>
Bilaga (text/plain) till text 5912255
Ärende: Bilaga till: Re: Claimed vulnerability in GTK_MODULES
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6U2ItWry0BWjoQKURAlhaAKDohtdIqLo12bEaucT0DoqHXnc7ggCfZgyP
PzmEozp9FH6p4+T8k7b85Bw=
=H5b2
-----END PGP SIGNATURE-----
(5912256) ------------------------------------------