security review and patches for libpurple
dtauerbach at eff.org
Wed Aug 17 17:15:07 EDT 2011
On 08/15/2011 11:24 PM, Mark Doliner wrote:
> On Thu, Aug 11, 2011 at 8:08 PM, Ethan Blanton<elb at pidgin.im> wrote:
>> Dan Auerbach spake unto us the following wisdom:
>>>> * bonjour-geteuid.diff
>>>> I think this is just wrong. It looks to me like we *want* euid, not
>>>> uid. I can't think of any reason to setuid Pidgin in the first
>>>> place, but if we do, it seems like the euid is probably who you want
>>>> to be running Pidgin. I don't know. It's not clear to me how this
>>>> should be changed either way.
>>> I believe this patch replaces uid with euid.
>> It does. This just goes to show you how nonsensical the difference is
>> between getuid and geteuid in this case. When I rejected the patch, I
>> was convinced that getuid was correct and geteuid was wrong, and all I
>> remembered was that the patch was wrong. This time I thought it did
>> the opposite, and still convinced myself the patch was wrong.
>> I think the bottom line is that setuid Pidgin is just broken, so it
>> isn't clear whether you'd want uid or euid. :-) I guess I have no
>> feelings about this patch's correctness either way, because I think
>> the difference is moot.
> I think uid is better. The function is just trying to get some form
> of friendly name to use for yourself on your local network. I can't
> imagine why someone would setuid their Pidgin binary, but if they do I
> think it makes more sense to use the name of the user calling the
> binary and NOT the name of the owner of the binary.
> Unless there is some reason to use the euid that no one has mentioned yet?
I agree this code to setuid is strange. I think the idea behind using
euid is that it enforces a slightly more accurate name, but since it is
just intended to be a friendly name, I don't feel too strongly about
this. Chris P might have additional thoughts.
More information about the security