Avoid deploying in $HOME/.fmxlinux/
Issue #214
resolved
Is it possible to avoid deploying libfmux.so in $HOME/.fmxlinux/ dir ?
This behaviour can be considered as a security risk, because the app loads library that resides in a users dir.
I would prefer that my installer deploys manually libfmux.so in a specified dir and that my app loads that library from that specified dir (e.g. same dir as the dir of the current program).
Comments (9)
-
repo owner
-
reporter
This is a report of one of our customer which is at the same time an IT security company :
“The app deploys library in user directory $HOME/.fmxlinux/libfmux-1.39.so. This behavior can be considered as a security risk because the app loads code that can be modified by user. Besides, this force us to reduce the security policy of some of our workstation that prevent this kind of manipulation. Can you put this library in a standard place ?”
That seems relevant to me.
-
reporter
Is there any workaround to be able to load libfmux.so from the same dir as the current program?
I think it was the previous behavior (as to say, around version 1.25), wasn't it?
-
repo owner
We are trying to find good solution. For now, you can copy FMUX.Api.pas from FMXLinux’s sources to you project dir and change LoadLib as you need.
-
reporter
Here is a fix that could be integrated in your source if you find it relevant : if the macro FMUXLIB_LOCAL is defined, fmxlinux loads the lib from the program directory.
You can find the diff and the
FMUX.Api.pasfrom 1.41 version in the attached files. -
repo owner
Thx for the patch, we are preparing our own also. Please do not publish any part of sources next time on public forum.
-
reporter
Ok, sorry for that. I forgot the code was available only when we have the licence. So how can we send you some peace of code ?
-
repo owner
Just email to support@ksdev.com
-
repo owner
- changed status to resolved
- Log in to comment
Why do you think this is a secure risk ?