On 2020-02-23 22:10, marc wrote: > If I understand you correctly, you propose a simple gtk > program that is setuid (so that it can read /etc/shadow, and > grant root privileges). The problem is that there is no such > thing as a simple gtk program. This is not comment limited to > gtk programs - most graphical toolkits and libraries present > a pretty large attack surface - they contain large protocol > interpreters and font rendering engines, flaws in which could > then be exploited to give root access without any password > whatsoever.
The author of XScreenSaver, Jamie Zawinski, has some FAQ [1] entries and a separate page [2] explaining why he never used GTK or other graphical toolkits for XScreenSaver development. Perhaps some of those ideas may be relevant to this gkexec project? [1] https://www.jwz.org/xscreensaver/faq.html#toolkits [2] https://www.jwz.org/xscreensaver/toolkits.html —Tom
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
