On Tue, 2007-03-13 at 14:25 -0600, Eric Morgan wrote: > I can tell you exactly how I'm getting there. Our licensing company > requires that a .xml file be present in the same directory as the > executing application at the time their API functions are called. > After many hours of debugging, I determined that the executing > application was actually Mono instead of our .exe. I have no control > over that bit of API code, as we're P/Invoking into it. The linux > libraries do, however, work fine. I even contacted them and they told > us "sorry, no other option than that .xml file in the same directory". > Without that licensing, our software won't run, so I think it's major > enough that we request write permission to those directories. > > Is this a HUGE security issue or something?
Yes. A major reason why Unix platforms don't have as many virus problems as Windows is because the system directories -- /, /usr, /usr/lib, etc. -- are NOT writable by non-root users. Combined with the general practice that you normally run as non-root, and it becomes very difficult for a virus to change the *system*. (Delete all of *your* files, sure, but it can't e.g. change /bin/bash and then infect every other user on the system unless there's a local root exploit as well.) By loosening these permissions, you undermine this decades-old security feature. It's very bad. Better would be to require installing by the root user, and then changing the permission _on that particular .xml file_ so that everyone can write to it (e.g. 666 permissions), leaving the directory permissions unchanged. This still isn't ideal -- it would allow multiple users to change the file, potentially simultaneously (!), but at least it won't open up the entire directory to attack. > I will double check which libgdiplus.so it's trying to load, but I > compile libgdiplus with mono, and both binaries are installed in the > prefix. I'm mostly worried about stuff like libpng, libungif, > libpangosharpglue, libncurses, and other dependency packages. I don't > want Mono to be looking for these already installed by the distro, and > when I distribute the software, it errors out saying it can't find > them. Will mono search the MONO_PREFIX/lib/ folder at runtime if it > can't find the libraries elsewhere? Will it check that first? Are you setting LD_LIBRARY_PATH? If LD_LIBRARY_PATH isn't set, then the dynamic library loader will only look in /lib and /usr/lib (and other directories; see /etc/ld.so.conf and ldconfig(8)). Result: your version of libgdiplus.so won't be loaded, the system-provided version will. - Jon _______________________________________________ Mono-list maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-list
