From mkimball@xmission.com Received: (qmail 1466 invoked from network); 11 May 1998 21:07:41 -0000 Received: from nowhere.xmission.com (166.70.39.2) by mail2.redhat.com with SMTP; 11 May 1998 21:07:41 -0000 Received: from mrk by nowhere.xmission.com with local (Exim 1.73 #1) id 0yZ1IK-000460-00; Mon, 11 May 1998 15:43:40 -0700 Message-ID: <19980511154340.36744@nowhere.xmission.com> Date: Mon, 11 May 1998 15:43:40 -0700 From: Matt Kimball <mkimball@xmission.com> To: gtk-list@redhat.com Subject: How safe is GTK? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1 As some of you know, I have written a traceroute replacement which happens to have a GTK+ front-end. (See http://www.mkimball.org/mtr.html). Since it needs access to raw sockets to deal with ICMP packets, it needs to run as root, at least long enough to request a IPPROTO_RAW socket. By the default 'make install' for mtr installs the binary as suid-root so that ordinary users can run it. Now, as mtr gets closer to 1.0, I am starting to think seriously about the security issues. Currently I am linking to libgtk and GTK+ code is being executed with root permissions, even when a user starts the program. Is this a Bad Idea(tm)? Or is it only a "Well, if you absolutely have to do it, it might be OK. But be nervous."? Now in the case of mtr it really isn't necessary. I can get the raw sockets, and then drop to user permissions. (And I am about to change the code to do this). But, I still wonder, how safe is GTK? What if a program absolutely needed to have root permissions the entire time? Has anyone ever audited the GTK code for security? -- Matt Kimball mkimball@xmission.com
From rhpennin@midway.uchicago.edu Received: (qmail 13958 invoked from network); 12 May 1998 02:16:35 -0000 Received: from haven.uchicago.edu (root@128.135.12.3) by mail2.redhat.com with SMTP; 12 May 1998 02:16:35 -0000 Received: from midway.uchicago.edu (root@midway.uchicago.edu [128.135.12.12]) by haven.uchicago.edu (8.8.5/8.8.5) with ESMTP id VAA09924 for <gtk-list@redhat.com>; Mon, 11 May 1998 21:16:32 -0500 (CDT) Received: from harper.uchicago.edu (4152@harper.uchicago.edu [128.135.12.7]) by midway.uchicago.edu (8.8.5/8.8.3) with ESMTP id VAA00837 for <gtk-list@redhat.com>; Mon, 11 May 1998 21:15:23 -0500 (CDT) Received: from localhost (rhpennin@localhost) by harper.uchicago.edu (8.8.5/8.8.3) with SMTP id VAA00548 for <gtk-list@redhat.com>; Mon, 11 May 1998 21:15:22 -0500 (CDT) X-Authentication-Warning: harper.uchicago.edu: rhpennin owned process doing -bs Date: Mon, 11 May 1998 21:15:22 -0500 (CDT) From: robert havoc pennington <rhpennin@midway.uchicago.edu> Sender: rhpennin@midway.uchicago.edu To: gtk-list@redhat.com Subject: Re: [gtk-list] How safe is GTK? In-Reply-To: <19980511154340.36744@nowhere.xmission.com> Message-ID: <Pine.GSO.3.95.980511210643.7076C-100000@harper.uchicago.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Mon, 11 May 1998, Matt Kimball wrote: > > By the default 'make install' for mtr installs the binary as suid-root > so that ordinary users can run it. Now, as mtr gets closer to 1.0, I > am starting to think seriously about the security issues. Currently I > am linking to libgtk and GTK+ code is being executed with root > permissions, even when a user starts the program. > > Is this a Bad Idea(tm)? Or is it only a "Well, if you absolutely have > to do it, it might be OK. But be nervous."? > There was a thread on gnome-list where Owen and Alan Cox both said this was indeed a Bad Idea. The solution is to use the program as root or use it via su. Or fix gsu in the Gnome CVS tree, if you want all-GUI operation. The gnome-list thread concluded that the simple gsu fix is to hack traditional su so that it reads a password off stdin, then make a Gtk wrapper for the hacked su; the hard gsu fix is something involving PAM that the Red Hat Labs people can probably tell you about. The stdin fix is trivial but I haven't done it since it would ideally involve correspondence with the upstream su maintainer to get the changes merged, and people asked for PAM anyway; I have no idea what the PAM fix would involve so I haven't done that either. A volunteer is needed who understands all the issues. Havoc Pennington ==== http://pobox.com/~hp
From scarpe@atos-group.com Received: (qmail 22277 invoked from network); 12 May 1998 15:47:18 -0000 Received: from atn01.axime.com (160.92.1.141) by mail2.redhat.com with SMTP; 12 May 1998 15:47:18 -0000 To: gtk-list@redhat.com Subject: Re: [gtk-list] How safe is GTK? References: <19980511154340.36744@nowhere.xmission.com> From: Sebastien Carpe <scarpe@atos-group.com> Date: 12 May 1998 17:47:14 +0000 In-Reply-To: Matt Kimball's message of "Mon, 11 May 1998 15:43:40 -0700" Message-Id: <oihg2vwfdp.fsf@pre10.segin.com> Lines: 20 X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald" Well, i'm not the best gtk expert in da world, i would even dare say i'm about the worst, since i only subscribe this list for interest purpose only at the moment, but, in terms of security, what about splitting your code into a daemon that would be run as root, where you exactly control what is done and have the Gtk front-end you've dreamed about run under the user ID, with a rather simple socket protocol for the client/server talk. (i'm sure you know what i mean, regarding the thing you're doing with mtr). I think it would solve your problem with a work-around, and IMHO is a better way to control security than having users running many processes as root all around your system.... Just my .2 cents, hope it helps... Seb -- Seb C. (mailto:scarpe@atos-group.com) | Working for Atos at Lille, France *********************************************************************
From mkimball@xmission.com Received: (qmail 4791 invoked from network); 12 May 1998 15:54:43 -0000 Received: from nowhere.xmission.com (166.70.39.2) by mail2.redhat.com with SMTP; 12 May 1998 15:54:43 -0000 Received: from mrk by nowhere.xmission.com with local (Exim 1.73 #1) id 0yZIt9-00037N-00; Tue, 12 May 1998 10:30:51 -0700 Message-ID: <19980512103050.38347@nowhere.xmission.com> Date: Tue, 12 May 1998 10:30:50 -0700 From: Matt Kimball <mkimball@xmission.com> To: gtk-list@redhat.com Subject: Re: [gtk-list] Re: How safe is GTK? References: <19980511154340.36744@nowhere.xmission.com> <oihg2vwfdp.fsf@pre10.segin.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1 In-Reply-To: <oihg2vwfdp.fsf@pre10.segin.com>; from Sebastien Carpe on Tue, May 12, 1998 at 05:47:14PM +0000 On Tue, May 12, 1998 at 05:47:14PM +0000, Sebastien Carpe wrote: > Well, i'm not the best gtk expert in da world, i would even dare say > i'm about the worst, since i only subscribe this list for interest > purpose only at the moment, but, in terms of security, what about > splitting your code into a daemon that would be run as root, where you > exactly control what is done and have the Gtk front-end you've dreamed > about run under the user ID, with a rather simple socket protocol for > the client/server talk. Yes, this is indeed the safest way to do it. (And, therefore, the right way to do it). But, is there anything known to be particularly unsafe about GTK+, or it is just considered to be unsafe because of the large amount of code present? -- Matt Kimball mkimball@xmission.com
From miguel@nuclecu.unam.mx Received: (qmail 32678 invoked from network); 26 May 1998 19:08:24 -0000 Received: from metropolis.nuclecu.unam.mx (miguel@132.248.29.92) by mail2.redhat.com with SMTP; 26 May 1998 19:08:24 -0000 Received: (from miguel@localhost) by metropolis.nuclecu.unam.mx (8.8.7/8.8.7) id CAA02199; Tue, 26 May 1998 02:08:04 -0500 To: gtk-list@redhat.com CC: mkimball@xmission.com Subject: Re: [gtk-list] How safe is GTK? References: <19980511154340.36744@nowhere.xmission.com> From: Miguel de Icaza <miguel@nuclecu.unam.mx> Date: 26 May 1998 02:08:04 -0500 In-Reply-To: Matt Kimball's message of Mon, 11 May 1998 15:43:40 -0700 Message-ID: <s8hg2dcxwr.fsf@metropolis.nuclecu.unam.mx> Lines: 12 X-Mailer: Gnus v5.4.45/Emacs 20.2 > But, I still wonder, how safe is GTK? What if a program absolutely > needed to have root permissions the entire time? Has anyone ever > audited the GTK code for security? Alan Cox has been auditing Gtk. Most of the potential problems that he reported were quickly fixed by Tim Janik. I do not know if the auditing is finished though. Miguel -- miguel@gnu.org