Wireshark · Ethereal-dev: Re: [ethereal-dev] GTK+ programs unsafe to make set-UID?

Ethereal-dev: Re: [ethereal-dev] GTK+ programs unsafe to make set-UID?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Nathan Neulinger <nneul@xxxxxxx>

Date: Sun, 27 Feb 2000 21:38:25 -0600

Ethereal has so many other suid issues besides this that it's going to
be a long time before it isn't insance to make it setuid for anyone you
don't trust.

-- Nathan

Guy Harris wrote:
> 
> The subthread on the GNOME site at:
> 
> http://news.gnome.org:80/gnome-news/951499666/951526170/951541686/index_html
> 
> quotes Havoc Pennington (one of the GTK+ developers) as saying:
> 
>         The problem is that you CANNOT link an suid binary to GTK.  NO
>         WAY.  It's a gaping, huge, enormous, unbelievable barn door of a
>         security hole.
> 
> and
> 
>         IT IS TOTALLY UNSAFE TO MAKE ANY GTK PROGRAM SUID. Period.
> 
> If true (and I suspect he's correct), then, given that Ethereal is a
> GTK+ program, making it set-UID to root, no matter how convenient it
> might be, might be a Very Bad Idea unless you can control who gets to
> run it on your machine.

-- 


------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@xxxxxxx
University of Missouri - Rolla         Phone: (573) 341-4841
CIS - Systems Programming                Fax: (573) 341-4216

References:
- [ethereal-dev] GTK+ programs unsafe to make set-UID?
  - From: Guy Harris

Prev by Date: [ethereal-dev] Including packet length on summary for TCP packets
Next by Date: Re: [ethereal-dev] New Dissector for Sinec H1
Previous by thread: [ethereal-dev] GTK+ programs unsafe to make set-UID?
Next by thread: [ethereal-dev] Including packet length on summary for TCP packets
Index(es):
- Date
- Thread