I don't understand why such a bundle-loading mechanism is considered a
security hole.
There are no "security holes" if the application is not setuid/setgid. In that
case,
a user can change his own user defaults to affect what bundles are loaded in
applications.
That is no different than changing the PATH or the LD_LIBRARY_PATH (or
installing programs
or libraries into the GNUstep user domain, or even just plainly editing
~/.bash_profile
to start up programs) to cause custom code to be executed either when a
specific program
is invoked, or when all programs are invoked, or when the user log in or in
other situations. ;-)
But, if the application is setuid/setgid, then there is reason to fear that
being able to
load custom bundles may be exploited to escalate user privileges. How the
loading is done
would need to be audited. setuid/setgid executables are normally locked down
to prevent
this kind of things; even if there is no exploit right now, it may slip in
later on!
A simple idea would be to have gnustep-gui load all bundles from a predefined
directory in the
System (and Local) domains (but not from the User domain). Then, you'd have to
install a bundle
to have it loaded in all your applications. This removes the ability of each
user to load his
own bundles (or indeed to control the bundles being loaded) but on the other
hand, it makes it
reasonably safe and simple. :-)
Thanks