Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 7630 - quick fix for x client setuid security hole
Summary: quick fix for x client setuid security hole
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Martin Schlemmer (RETIRED)
URL: http://www.xfree86.org/4.2.1/RELNOTES...
Whiteboard:
Keywords:
: 2618 (view as bug list)
Depends on:
Blocks:
 
Reported: 2002-09-07 16:37 UTC by psypete
Modified: 2003-02-04 19:42 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description psypete 2002-09-07 16:37:13 UTC
gentoo has a setuid-root xterm as well as other setuid-root x terminals. this is
BAD. this is always BAD but it gets even worse when there's a zlib/Xlib bug in
XFree86 which could cause loading of arbitrary code or other weird security issues.

the x clients are setuid because they need access to write to utmp when someone
logs in. well debian appears to handle it correctly, so i propose we make a new
group utmp and chown root:utmp /var/run/utmp then chmod 2664 /var/run/utmp. then
we change all the setuid-root x terminals to chown root:utmp and chmod 2755.
then we'd only have to worry about utmp being messed with.
Comment 1 Martin Schlemmer (RETIRED) gentoo-dev 2002-09-07 17:46:01 UTC
ok, baselayout-1.8.3 is on CVS .. should get utmp and wtmp ready.  xfree-4.2.1
to follow.
Comment 2 Martin Schlemmer (RETIRED) gentoo-dev 2002-09-08 04:58:41 UTC
*** Bug 2618 has been marked as a duplicate of this bug. ***