On 13/05/15 22:06, Peter Nowee wrote: > I was wondering what a substitute user application, like gksu, should > do with regard to XDG environment variables when launching an > application as another user?
If a "substitute user" application like gksu does not pass environment variables through a *whitelist* - "only keep safe variables", not "delete unsafe variables" - then the invoking user can almost certainly execute arbitrary code as the target user. (For instance, consider LD_LIBRARY_PATH, LD_PRELOAD, BASH_ENV, ...) If the target user is granted access to the invoking user's X11 display (e.g. su to root preserving XAUTHORITY and DISPLAY), then they can likely also execute arbitrary code as the invoking user; they can certainly spy on keyboard input, take screenshots, and probably inject forged keyboard input too. On any halfway modern system I would recommend pkexec over gksu as the root-privilege-escalation tool of choice. It uses an environment whitelist. That means no DISPLAY (unless you explicitly include it in the invoked command - "pkexec env DISPLAY=$DISPLAY xterm"), hence no X11 apps as root, but to be honest I think that's more feature than bug. -- Simon McVittie Collabora Ltd. <http://www.collabora.com/> _______________________________________________ xdg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xdg
