Ariadne Conill 馃惏:therian: @ariadne@social.treehouse.systems
Public

this is truly incredible: github.com/X11Libre/xserver/pu

they are using system(3) inside a security-critical domain (the display server).

but yes, sure, my refusal of xlibre on security grounds is the problem

@metux, let the team know about the discussion of this feature. After my research, perhaps this will reduce the likelihood of malicious actions on the part of X clients and allow them to be identif...

security-feature: Integration permission management system by GermanAizek 路 Pull Request #1627 路 X11Libre/xserver

@metux, let the team know about the discussion of this feature. After my research, perhaps this will reduce the likelihood of malicious actions on the part of X clients and allow them to be identif...

github.comGitHub

Ariadne Conill 馃惏:therian: @ariadne@social.treehouse.systems
Public

there are quite a few reactionaries in my comments, some of which have been defederated in their entirety.

for the others:

1. although the system("which ...") use is silly, that isn't the problem here.

2. what do you think will happen when the code in this PR encounters a process named `" && :() { : | : & }; :&`? will it safely handle such a process name? before saying "that's impossible" please read setprocname(3), setproctitle(3), or in the case of Linux, understand that argv[0] is mutable.

3. yes, it is an open PR. it is also reflective of the code quality of many other PRs which have been merged to Xlibre already. how do you think that impacts its security record?

0
0
0

If you have a fediverse account, you can quote this note from your own instance. Search https://social.treehouse.systems/users/ariadne/statuses/115703681405262700 on your instance and quote it. (Note that quoting is not supported in Mastodon.)