[Pidgin] mmcco modified

Pidgin trac at pidgin.im
Wed Jul 22 01:00:01 EDT 2015


Page "mmcco" was changed by mmcco
Diff URL: <https://developer.pidgin.im/wiki/mmcco?action=diff&version=53>
Revision 53
Comment: Pidgin processes need continued access to /usr/share for GTK stuff, other related privsep fixes
Changes:
-------8<------8<------8<------8<------8<------8<------8<------8<--------
Index: mmcco
=========================================================================
--- mmcco (version: 52)
+++ mmcco (version: 53)
@@ -134,13 +134,16 @@
 
 Privilege separation is one of the easiest ways to improve Pidgin's security.
 
-Generally, there are only two types of file access for Pidgin/libpurple:
+After initial library loading, there are three types of file access for Pidgin:
 * access to libpurple-specific files in `~/.purple/`
 * access to files in arbitrary locations for file transfers
+* GTK-related files (icons, etc.) from `/usr/share`
 
-This makes the solution pretty clear: have a process for Pidgin's core that's chrooted to `~/.purple/` and a file transfer helper process with arbitrary file access.
+Of course, the third does not apply to libpurple.
 
-Later, additional daemons could be added for things like logging and chrooted to subdirectories of `~/.purple/`. This would further protect user credentials and OTR keys.
+This suggests a solution: we can have a process for Pidgin's core that's restricted to `~/.purple/` and `/usr/share`, and a file transfer helper process with arbitrary file access.
+
+Later, additional daemons could be added for things like logging and restricted to subdirectories of `~/.purple/`. This would further protect user credentials and OTR keys.
 
 === Breakages ===
 
-------8<------8<------8<------8<------8<------8<------8<------8<--------

--
Page URL: <https://developer.pidgin.im/wiki/mmcco>
Pidgin <https://pidgin.im>
Pidgin

This is an automated message. Someone added your email address to be
notified of changes on 'mmcco' page.
If it was not you, please report to datallah at pidgin.im.


More information about the Wikiedit mailing list