discuss-gnustep
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New method to load user bundles

From: Jeff Teunissen
Subject: Re: New method to load user bundles
Date: Tue, 03 Jun 2003 09:38:50 -0400 
Tobias wrote:

> jeff wrote:
> > This isn't security-related attention.
> >
> > Everybody knows that if you load bundles, you are giving away the keys
> > to the castle -- that's why you don't load them in certain apps, and
> > would have to be a damn fool to do so.
> 
> but you dont have any keys anymore. just because we allow LD_PRELOAD and
> LD_LIBRARY_PATH. you can replace your whole everything with those
> environment variables. LD_* is even more powerful, because it is enabled
> on ALL (non suid) tools/apps you open. is this a major security hole?
> i think not.

LD_PRELOAD can't replace code inside a program, it can only replace one
shared library with another.

GSAppKitUserBundles is more powerful than LD_*, because it lets you modify
the app itself, not just the libraries it is linked with.

It's well-known that if you use shared libraries, you can't trust their
code. It is also well-known that if you use bundles, you can't even trust
YOUR code.

[snip]

-- 
| Jeff Teunissen  -=-  Pres., Dusk To Dawn Computing  -=-  deek @ d2dc.net
| GPG: 1024D/9840105A   7102 808A 7733 C2F3 097B  161B 9222 DAB8 9840 105A
| Core developer, The QuakeForge Project        http://www.quakeforge.net/
| Specializing in Debian GNU/Linux              http://www.d2dc.net/~deek/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]