[Mono-list] [mono-list] Merging compiled SVN with installed version.

[Jonathan Pryor]

On Tue, 2007-03-13 at 14:25 -0600, Eric Morgan wrote:
> I can tell you exactly how I'm getting there.  Our licensing company
> requires that a .xml file be present in the same directory as the
> executing application at the time their API functions are called.
> After many hours of debugging, I determined that the executing
> application was actually Mono instead of our .exe.  I have no control
> over that bit of API code, as we're P/Invoking into it.  The linux
> libraries do, however, work fine.  I even contacted them and they told
> us "sorry, no other option than that .xml file in the same directory".
> Without that licensing, our software won't run, so I think it's major
> enough that we request write permission to those directories. 
> 
> Is this a HUGE security issue or something?

Yes.  A major reason why Unix platforms don't have as many virus
problems as Windows is because the system directories
-- /, /usr, /usr/lib, etc. -- are NOT writable by non-root users.
Combined with the general practice that you normally run as non-root,
and it becomes very difficult for a virus to change the *system*.
(Delete all of *your* files, sure, but it can't e.g. change /bin/bash
and then infect every other user on the system unless there's a local
root exploit as well.)

By loosening these permissions, you undermine this decades-old security
feature.  It's very bad.

Better would be to require installing by the root user, and then
changing the permission _on that particular .xml file_ so that everyone
can write to it (e.g. 666 permissions), leaving the directory
permissions unchanged.  This still isn't ideal -- it would allow
multiple users to change the file, potentially simultaneously (!), but
at least it won't open up the entire directory to attack.

> I will double check which libgdiplus.so it's trying to load, but I
> compile libgdiplus with mono, and both binaries are installed in the
> prefix.   I'm mostly worried about stuff like libpng, libungif,
> libpangosharpglue, libncurses, and other dependency packages.  I don't
> want Mono to be looking for these already installed by the distro, and
> when I distribute the software, it errors out saying it can't find
> them.  Will mono search the MONO_PREFIX/lib/ folder at runtime if it
> can't find the libraries elsewhere?  Will it check that first? 

Are you setting LD_LIBRARY_PATH?  If LD_LIBRARY_PATH isn't set, then the
dynamic library loader will only look in /lib and /usr/lib (and other
directories; see /etc/ld.so.conf and ldconfig(8)).  Result: your version
of libgdiplus.so won't be loaded, the system-provided version will.

 - Jon