somewhat OT: configure and mterm was Re: Vintage terminals

der Mouse mouse at Rodents.Montreal.QC.CA
Fri Mar 9 09:24:54 CST 2007


>>>> But these days, [vttest] uses ./configure, which is a security
>>>> nightmare waiting to happen.
>>> Uhh...WTF?  Do you do your builds as root or something?
>> No (well, not most of them); why?  Do you think running malicious
>> code is fine provided you're not running as root?
> What portion of it is malicious (asking honestly)?

None...probably.

The thing is, configure is an excellent place to hide a malicious
grappling hook: it is frequently run by naïve installers, not
uncommonly as root; by the nature of what it does, it is hard to
sandbox (for example, it *must* be able to compile and run new
programs); it is large and comparatively difficult to read over for
human verification.

This means that unless I take an hour or two and read through
configure, I'm basically betting the security of my system that the
distribution didn't get trojaned.  Even if I *do* take that hour or
two, reading configure is mind-numbing enough that it's easy to miss
something subtle.  (I've read through a couple of configure scripts.)
I've thought about how I'd go about trojaning a configure script, and
the answers scare me enough that I have to want something quite a lot
before I'm willing to "just run ./configure".

This is why I called it "a security nightmare waiting to happen".

As interested as I am in how mterm -termtype decansi stacks up against
vttest, I'm not nearly interested enough to be willing to either take
that risk or take that boring couple of hours (still leaving some
slight risk).

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse at rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B



More information about the cctalk mailing list