> I don't understand why such a bundle-loading mechanism is considered a > security hole.
There are no "security holes" if the application is not setuid/setgid. In that case, a user can change his own user defaults to affect what bundles are loaded in applications. That is no different than changing the PATH or the LD_LIBRARY_PATH (or installing programs or libraries into the GNUstep user domain, or even just plainly editing ~/.bash_profile to start up programs) to cause custom code to be executed either when a specific program is invoked, or when all programs are invoked, or when the user log in or in other situations. ;-) But, if the application is setuid/setgid, then there is reason to fear that being able to load custom bundles may be exploited to escalate user privileges. How the loading is done would need to be audited. setuid/setgid executables are normally locked down to prevent this kind of things; even if there is no exploit right now, it may slip in later on! A simple idea would be to have gnustep-gui load all bundles from a predefined directory in the System (and Local) domains (but not from the User domain). Then, you'd have to install a bundle to have it loaded in all your applications. This removes the ability of each user to load his own bundles (or indeed to control the bundles being loaded) but on the other hand, it makes it reasonably safe and simple. :-) Thanks _______________________________________________ Discuss-gnustep mailing list [email protected] http://lists.gnu.org/mailman/listinfo/discuss-gnustep
