On 18 Jul 2001 14:04:57 -0400, Brian S. Julin wrote:
>
> On 18 Jul 2001, Thayne Harbaugh wrote:
> > This is because there isn't a mechanism for handling the config files
> > that are usually found in /etc/ggi - like libgii.conf and libggi.conf.
>
> Hmm... I thought there would be other issues and this one was only
> the tip of the iceberg, but if it seems to work once you get past
> this, then adding that feature would be very nice.
>
> > not the build directories. It would be nice if libgg could use a
> > LIBGG_PATH environment variable to search for config files.
>
> I think the reason it does not now is security, in the event that
> an suid executable is linked to it. If we added code to detect whether
> we are running in a suid environment and disallow use of the LIBGG_PATH
> variable in that case, then that might be a workable solution, but the code
> to do so would have to be air-tight from the start. Don't want to be the
> cause of any disasters, and if something like that can go undiscovered
> for over a year in suidperl, well... let's wait til 2.1 on this one, eh?
> :-)
How does ggi work as a suid/sgid or with suid/sgid programs? I don't
understand what this is and so I fail to understand what the security
concerns are.
> P.S. Actually we'll be implementing some new features in the config file
> system probably for the 2.1 release, so doing that then would probably
> be good.
That would make testing 2.1 much easier if it didn't have to be
installed.
>
> --
> Brian
--
Thayne Harbaugh
