KDE4 Patch to allow testing/execution of uninstalled kparts/XMLGUI applications

Friedrich W. H. Kossebau Friedrich.W.H at kossebau.de
Wed Aug 10 14:51:28 BST 2005


Am Mittwoch, 10. August 2005 15:22, schrieb Hans Meine:
> On Wednesday 10 August 2005 13:50, Friedrich W. H. Kossebau wrote:
> > I know close to nothing about libtool and cannot make too much out of
> > your comment, excuse me. Is libtool only used by KDE apps or all? And
> > does this really mean that libtool enables to circumvent the cwd
> > protection? So one could fool an admin by one's personal glibc version?
> > Or what is the scope of libtool?
>
> I guess that the above script was meant.  Yes, you can use your own glibc
> by changing LD_LIBRARY_PATH (AFAICS), but how would you fool an admin? It
> still runs with your UID, and you can run/code basically anything for
> yourself.

No idea how libtool works at all, it seems to do well enough as I never had to 
understand it ;) I am concerned that a plain user is able to have the admin 
run code a user put in place by playing tricks. Like he would place a "ls" 
executable somewhere. David's comment
> I can't see where the security issue comes from - yes someone can install a
> file which will then be used at runtime, but they can do just the same with
> shared libs already.
suggested me that libtool (however it works) also uses some description in the 
cwd (if available)? So a user could place some libtool description which then 
points to the modified libc with evil code?

Where to find beginner's docu of libtool? 8)

Friedrich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20050810/38a0161a/attachment.sig>


More information about the kde-core-devel mailing list