[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: New method to load user bundles
From: |
Alexander Malmberg |
Subject: |
Re: New method to load user bundles |
Date: |
Mon, 02 Jun 2003 21:45:12 +0200 |
As I see it, there are two real issues with this, and one non-issue:
Issue #1: User-defined bundles may compromise setuid/setgid
applications.
This is more of a limitation than a problem. setuid applications are NOT
secure. Thus, don't make applications setuid. If some part of an
application requires setuid, write a small, easily (or at least
feasibly) securable setuid program and run it from the app.
Could this be fixed? In theory, yes, but I don't think it would be
particularly useful. To make setuid apps secure, we would have to make
sure that there's no way (arguments, environment, defaults, DO, ...)
that the user can compromise an application. As a part of this, we'd
have to write secure code to ignore or filter all bundle loading (user
bundles, the backend, text converters, color pickers, ...?).
Given that the simplicity gained in apps by not splitting off the setuid
parts is rather small, that the effort to make applications secure
(securing both -base/-gui and the app itself) is _huge_, that the risk
and cost of security holes is large, and that the final results will be
worse than with the setuid parts split off since the app has to ignore
some of the user's preferences, I don't think trying to make setuid apps
possible is worthwhile.
Issue #2: Users may download and run/install malicious bundles.
This is a problem. However, the malicious bundle could just as well be a
malicious binary, or shell script, or gimp plugin. The problem is in no
way specific to user bundles; it will be solved (or not) just like all
the other problems with users running malicious code.
Non-issue: Applications lose their integrity. (non-setuid case)
Applications have never had, and will never have, any integrity in and
of themselves. Neither the developer nor the app has any control when
the app is running on someone else's system. Whoever controls the system
can examine or edit the binaries, or use custom versions of the kernel,
dynamic libraries, -base, or -gui to change the behavior of an app. Even
if you're just a lowly user, you can still use debuggers and LD_PRELOAD.
- Alexander Malmberg
- Re: New method to load user bundles, (continued)
- Re: New method to load user bundles, Alexander Malmberg, 2003/06/03
- Re: New method to load user bundles, Chris Beaham, 2003/06/05
- Re: New method to load user bundles, Richard Frith-Macdonald, 2003/06/05
- Re: New method to load user bundles, Chris Beaham, 2003/06/05
- Re: New method to load user bundles, David Ayers, 2003/06/05
- Re: New method to load user bundles, Richard Frith-Macdonald, 2003/06/05
- Re: New method to load user bundles, David Ayers, 2003/06/05
Re: New method to load user bundles, Nicolas Roard, 2003/06/02
Re: New method to load user bundles,
Alexander Malmberg <=