8556 – links-2.1 ebuilds set links setuid

Bug 8556 - links-2.1 ebuilds set links setuid

Summary: links-2.1 ebuilds set links setuid

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All All

Importance:	Highest blocker (vote)
Assignee:	Seemant Kulleen (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2002-09-30 01:04 UTC by SpanKY
Modified:	2002-09-30 22:51 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SpanKY gentoo-dev

2002-09-30 01:04:56 UTC

in the ebuilds, it says 'in order to utilize svga, links must be setuid' ...
well setting it uid of 0 allows for a local root exploit

i would rather people bend over backwards to get svga support in their links 
program than get bent over just for svga support

SOLUTION:
(1) remove the lines in both links-2.1 ebuilds:
        # links needs to be setuid for it to work with svga
        use svga && ( \
                fperms 4755 /usr/bin/links2
        )
(2) send out a security advisory telling people to run:
emerge rsync
emerge links

Comment 1 Seemant Kulleen (RETIRED) gentoo-dev

2002-09-30 22:51:16 UTC

ok, now the user will be spammed a message in postinst, explaining that suid bit
must be set on /usr/bin/links2 to enable SVGA support.  this message is only
spammed if "svga" is in USE in the first place.