GNOME Bugzilla – Bug 328911
beagled script needs fixes
Last modified: 2006-03-22 22:34:55 UTC
Upstreaming from: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177675 a) it runs programs in the current directory rather than the installed app if it finds them b) its error reporting if the daemon exits (for something launched via the session!) is to echo to stdout
a) is by design, so that developers can run out of the source directory. b) is an unlikely occurrance, because the daemon is generally run "exec". But if for some reason the daemon is running in background mode and exits early, it prints an error. I've added an "exit 1" to that case. This is fixed now in CVS.
a) is a security flaw if a user writes those files to /tmp and gets another user to run f-spot while in /tmp. Maybe you should wrap it around an environment variable or something such as DOING_BEAGLE_DEVELOPMENT, but it cannot be unchecked. Reopening to fix a)
er, i obviously meant "gets another user to run beagle while in /tmp"
I dont quite understand. If another user runs beagled from /tmp, beagled will only access files legally accessible by the user. I have a faint sense of another meaning: do you mean in beagle-search (GUI), when the applications are executed, they are executed from current-directory - which can be a security flaw ?
No... Attacker creates an f-spot.exe which does something evil such as mail the victim's private SSH keys to the attacker and places it in /tmp, and chmods it 777. Attacker also touches Makefile and Defines.cs. If the victim happens to type /usr/bin/f-spot or simply f-spot from a console while in /tmp, then the evil f-spot.exe is activated.
(and gah, apologies. I keep looking at f-spot's script for some reason instead of beagle ... it has the same exact issue though).
Ok, at the top of beagled.in, there's a line like this: if [ -e ./@target@ ] && [ -e ./Makefile.am ] ; then If I changed this to be: if [ `pwd` = "@srcdir@"]; then where @srcdir@ is set to `pwd` at compile-time, would that be sufficiently safe?
That's still a bit broken. Installing something for developers only into a place where normal users can potentially break it is always a bad idea. Can we simply not even ship that part of the wrapper unless a compile flag is set (--enable-maintainer-mode)?
Created attachment 61791 [details] [review] Committed this patch
Created attachment 61802 [details] [review] Updated patch; the last one was a little broken.