[18428] in bugtraq
Re: gtk+ security hole.
daemon@ATHENA.MIT.EDU (Wichert Akkerman)
Thu Jan 4 15:08:12 2001
Mail-Followup-To: BUGTRAQ@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010104004658.A27881@cistron.nl>
Date: Thu, 4 Jan 2001 00:46:58 +0100
Reply-To: Wichert Akkerman <wichert@CISTRON.NL>
From: Wichert Akkerman <wichert@CISTRON.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010103174623.A22185@cistron.nl>; from rvdm@cistron.nl on Wed,
Jan 03, 2001 at 05:46:23PM +0100
Previously Robert van der Meulen wrote:
> In the official reply of the gtk+ team, several, very valid, reasons are
> given to _never_ have a suid/setgid gtk program.
I would generalize that a bit more: never use a suid X program. X is
really large, has never been properly audited, and in the last year
we've seen a number of security problems found in it.
If you need suid use a seperate minimal suid helper (or use userv)
instead.
Wichert.
--
________________________________________________________________
/ Generally uninteresting signature - ignore at your convenience \
| wichert@cistron.nl http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
