LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: August 15th, 2014
Linux Advisory Watch: August 8th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Security Statement from GTK+ Team Print E-mail
User Rating:      How can I rate this item?
Source: Owen Taylor - Posted by Ryan W. Maple   
Security Projects Below is a statement from Ownen Taylor of the GTK+ development team in regards to the recent GTK_MODULES security issue raised on BUGTRAQ. "In the opinion of the GTK+ team, the only correct way to write a setuid program with a graphical user interface is to have a setuid backend that communicates with the non-setuid graphical user interface via a mechanism such as a pipe and that considers the input it receives to be untrusted.". . . Below is a statement from Ownen Taylor of the GTK+ development team in regards to the recent GTK_MODULES security issue raised on BUGTRAQ. "In the opinion of the GTK+ team, the only correct way to write a setuid program with a graphical user interface is to have a setuid backend that communicates with the non-setuid graphical user interface via a mechanism such as a pipe and that considers the input it receives to be untrusted."

Why GTK_MODULES is not a security hole

GTK+ supports the environment variable GTK_MODULES which specifies arbitrary dynamic modules to be loaded and executed when GTK+ is initialized. It is somewhat similar to the LD_PRELOAD environment variable. However, this (and similar functionality such as specifying theme engines) is not disabled when running setuid or setgid. Is this a security hole? No. Writing setuid and setgid programs using GTK+ is bad idea and will never be supported by the GTK+ team.

You should not write setuid GTK+ programs because:

  • GTK+ is too big. GTK+-1.2 and its dependent libraries (ignoring Xlib) total over 200,000 lines of code. For GTK+-2.0 (ignoring Xlib and image loading libraries), this figure will be around 500,000 lines of code.
  • GTK+ is too complex. GTK+ takes input from dozens of sources, from drag-and-drop, to root-window properties, to keyboard input, to configuration files. This is a much broader scope for compromises than a typical server and makes auditing GTK+ especially tricky.
  • Security of GTK+ requires the security of Xlib. The GTK+ team is not prepared to make that guarantee. Security bugs have been found in the recent past in such areas of Xlib as the input method code.
  • You should not make your GUI setuid at all. Why run the risk of security bugs in code that does not need to be running with elevated privileges?

In the opinion of the GTK+ team, the only correct way to write a setuid program with a graphical user interface is to have a setuid backend that communicates with the non-setuid graphical user interface via a mechanism such as a pipe and that considers the input it receives to be untrusted.

For this reason, no effort is made in GTK+ to disable the obvious ways that you could compromise a setuid GTK+ program - GTK_MODULES and the ability for the user to specify theme engines, because we consider this to be only papering over the fundamental problems of writing setuid programs with any GUI toolkit. GTK+ may be modified in the future to simply refuse to run with elevated privileges, though it does not do this currently.

Does this mean that there are no security considerations for GTK+? No. In particular image loaders have been and will continue to be an area of special care, since users may load images from untrusted sources. And in addition to the possibility of this variety of exploit, most potential security holes are essentially bugs and even as mere bugs, must be squashed. To help accomplish this goal, GTK+ extensively uses high-level data structure abstractions which minimize the risk of most traditional buffer overflows.

However, the secure setuid program is a 500 line program that does only what it needs to, rather than a 500,000 line library whose essential task is user interfaces.

By Owen Taylor
2 January 2000

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Attackers Can ‘Steal’ Bandwidth From BitTorrent Seeders, Research Finds
Linux Kernel Development Gets Two-Factor Authentication
Hacking cars and traffic lights at Def Con
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.