Wireshark · Ethereal-dev: [ethereal-dev] GTK+ programs unsafe to make set-UID?

Ethereal-dev: [ethereal-dev] GTK+ programs unsafe to make set-UID?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxxxxx>

Date: Sun, 27 Feb 2000 12:26:01 -0800

The subthread on the GNOME site at:

http://news.gnome.org:80/gnome-news/951499666/951526170/951541686/index_html

quotes Havoc Pennington (one of the GTK+ developers) as saying:

	The problem is that you CANNOT link an suid binary to GTK.  NO
	WAY.  It's a gaping, huge, enormous, unbelievable barn door of a
	security hole.

and

	IT IS TOTALLY UNSAFE TO MAKE ANY GTK PROGRAM SUID. Period.

If true (and I suspect he's correct), then, given that Ethereal is a
GTK+ program, making it set-UID to root, no matter how convenient it
might be, might be a Very Bad Idea unless you can control who gets to
run it on your machine.

Follow-Ups:
- Re: [ethereal-dev] GTK+ programs unsafe to make set-UID?
  - From: Nathan Neulinger

Prev by Date: RE: [ethereal-dev] Filter dialog box
Next by Date: [ethereal-dev] Including packet length on summary for TCP packets
Previous by thread: Re: [ethereal-dev] gdk-1.3.dll needed
Next by thread: Re: [ethereal-dev] GTK+ programs unsafe to make set-UID?
Index(es):
- Date
- Thread