XDG environment variables with substitute user

Simon McVittie simon.mcvittie at collabora.co.uk
Thu May 14 03:57:46 PDT 2015


On 13/05/15 22:06, Peter Nowee wrote:
> I was wondering what a substitute user application, like gksu, should
> do with regard to XDG environment variables when launching an
> application as another user?

If a "substitute user" application like gksu does not pass environment
variables through a *whitelist* - "only keep safe variables", not
"delete unsafe variables" - then the invoking user can almost certainly
execute arbitrary code as the target user.

(For instance, consider LD_LIBRARY_PATH, LD_PRELOAD, BASH_ENV, ...)

If the target user is granted access to the invoking user's X11 display
(e.g. su to root preserving XAUTHORITY and DISPLAY), then they can
likely also execute arbitrary code as the invoking user; they can
certainly spy on keyboard input, take screenshots, and probably inject
forged keyboard input too.

On any halfway modern system I would recommend pkexec over gksu as the
root-privilege-escalation tool of choice. It uses an environment
whitelist. That means no DISPLAY (unless you explicitly include it in
the invoked command - "pkexec env DISPLAY=$DISPLAY xterm"), hence no X11
apps as root, but to be honest I think that's more feature than bug.

-- 
Simon McVittie
Collabora Ltd. <http://www.collabora.com/>



More information about the xdg mailing list