On 18 Jul 2007, at 17:42, Marco van de Voort wrote:
On Wed, 18 Jul 2007, Marco van de Voort wrote:
On 18 Jul 2007, at 14:08, Jonas Maebe wrote:
Install the IDE setuid.
That would be an extremely bad idea with the current stability
record of the IDE.
Not to mention that it allows you to open and overwrite any
arbitrary
file.
Yes. Just like we all have for decades.
No, we haven't.
And no, it is not ideal, but
apparantly that is what the kernel devels want as the only way to
access the
full terminal capability.
You cannot distribute a tool which creates a security hole as
large as from
here till Tokio. That would not look good the day it is
discovered, and
arguments like "the kernel forcing us to do so" will not help us
then.
What is the security hole exactly?
If you install the IDE as setuid root, then every user starting the
IDE will run the IDE as if he were root. That means he can open and
modify every single file on the system. And overwrite any binary with
an own written program by just configuring the proper exe output
directory in the IDE.
And by using the shell functionality of the IDE, he can also open a
root shell if that's more comfortable for him than using the IDE itself.
Jonas
_______________________________________________
fpc-devel maillist - fpc-devel@lists.freepascal.org
http://lists.freepascal.org/mailman/listinfo/fpc-devel
