GNOME Bugzilla – Bug 570530
Sockets are chown()ed to another user when running as root
Last modified: 2009-02-05 10:15:44 UTC
When starting an application as root using su (I know, that’s bad, but PolicyKit is still not the rule), it re-uses the $ORBIT_SOCKETDIR that is passed; that’s not much a problem in itself, since it allows nice things like re-using an existing GConf daemon. However, the socket created by the application launched as root is chown()ed so that it belongs to the user $ORBIT_SOCKETDIR belongs to. This allows the said user to communicate with the root application, which means controlling it partly or entirely if it uses libbonobo. This is very dangerous and this behavior should be removed ; I can’t even see a valid use case for it.
Created attachment 127937 [details] [review] Do not chown() a socket belonging to root
This is an accessibility feature. How is an Accessibility Technology going to communicate with the application if it can't communicate, the gconf thing I guess is an unwanted but not unwelcome side-effect I suppose. Also - please note, that as soon as the root owned X application connects to the X server, other non-root apps can start poking at the application in many of the same ways; oh - and of course gtk+ is not a 'secure' toolkit - so there are many levels of equivocation here. If you want a 'secure' root run application, at the level you're talking about, here are some other things you might want to consider: not least that in typing 'su' you could have fallen victim to some credential stealing wrapper program ;-) HTH.