KDE4 Patch to allow testing/execution of uninstalled kparts/XMLGUI applications
Friedrich W. H. Kossebau
Friedrich.W.H at kossebau.de
Wed Aug 10 14:51:28 BST 2005
Am Mittwoch, 10. August 2005 15:22, schrieb Hans Meine:
> On Wednesday 10 August 2005 13:50, Friedrich W. H. Kossebau wrote:
> > I know close to nothing about libtool and cannot make too much out of
> > your comment, excuse me. Is libtool only used by KDE apps or all? And
> > does this really mean that libtool enables to circumvent the cwd
> > protection? So one could fool an admin by one's personal glibc version?
> > Or what is the scope of libtool?
>
> I guess that the above script was meant. Yes, you can use your own glibc
> by changing LD_LIBRARY_PATH (AFAICS), but how would you fool an admin? It
> still runs with your UID, and you can run/code basically anything for
> yourself.
No idea how libtool works at all, it seems to do well enough as I never had to
understand it ;) I am concerned that a plain user is able to have the admin
run code a user put in place by playing tricks. Like he would place a "ls"
executable somewhere. David's comment
> I can't see where the security issue comes from - yes someone can install a
> file which will then be used at runtime, but they can do just the same with
> shared libs already.
suggested me that libtool (however it works) also uses some description in the
cwd (if available)? So a user could place some libtool description which then
points to the modified libc with evil code?
Where to find beginner's docu of libtool? 8)
Friedrich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20050810/38a0161a/attachment.sig>
More information about the kde-core-devel
mailing list