On Sun, 17 Feb 2013 13:10:48 +0100 Andreas Volz <li...@brachttal.net> said:
> Hello,
>
> while developing I reviewed again the evas module loader.
>
> quote file/evas_module.c:
>
> /* 1. ~/.evas/modules/ */
> path = eina_module_environment_path_get("HOME", "/.evas/modules");
> evas_module_paths = _evas_module_append(evas_module_paths, path);
>
> /* 2. $(EVAS_MODULE_DIR)/evas/modules/ */
> path = eina_module_environment_path_get("EVAS_MODULES_DIR",
> "/evas/modules"); if (eina_list_search_unsorted(evas_module_paths,
> (Eina_Compare_Cb) strcmp, path)) free(path);
> else
> evas_module_paths = _evas_module_append(evas_module_paths, path);
>
> One question:
>
> If one write an GUI application with edje that offers to configure some
> system states and I allow this application to run as root (e.g. super
> user bit set) or some other way. Then one could get root only by writing
> an custom evas module that implements e.g. the software_x11 and place it
> into $(EVAS_MODULE_DIR)/modules, not?
>
> >From my feeling this opens a system more than needed. At least the
> search order for evas modules needs to be switched to first search in
> system directory and later in $HOME.
>
> But maybe I'm complete wrong because running an application with a way
> to get root permission also includes this risk...
correct... it'd use a module belonging to a user (code) and run it as root.
don't make setuid root efl gui apps. there are many other things that can go
wrong too (you accidentally change elm config and overwrite user config with
root owned config files thus locking a user out from changing their own config).
> regards
> Andreas
>
> --
> Technical Blog <http://andreasvolz.wordpress.com/>
>
> ------------------------------------------------------------------------------
> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
> is your hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials, tech docs,
> whitepapers, evaluation guides, and opinion stories. Check out the most
> recent posts - join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> enlightenment-devel mailing list
> enlightenment-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
>
--
------------- Codito, ergo sum - "I code, therefore I am" --------------
The Rasterman (Carsten Haitzler) ras...@rasterman.com
------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials, tech docs,
whitepapers, evaluation guides, and opinion stories. Check out the most
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
enlightenment-devel mailing list
enlightenment-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
