|Summary:||quick fix for x client setuid security hole|
|Product:||Gentoo Linux||Reporter:||psypete <psypete>|
|Component:||Current packages||Assignee:||Martin Schlemmer (RETIRED) <azarah>|
|Package list:||Runtime testing required:||---|
Description psypete 2002-09-07 16:37:13 UTC
gentoo has a setuid-root xterm as well as other setuid-root x terminals. this is BAD. this is always BAD but it gets even worse when there's a zlib/Xlib bug in XFree86 which could cause loading of arbitrary code or other weird security issues. the x clients are setuid because they need access to write to utmp when someone logs in. well debian appears to handle it correctly, so i propose we make a new group utmp and chown root:utmp /var/run/utmp then chmod 2664 /var/run/utmp. then we change all the setuid-root x terminals to chown root:utmp and chmod 2755. then we'd only have to worry about utmp being messed with.
Comment 1 Martin Schlemmer (RETIRED) 2002-09-07 17:46:01 UTC
ok, baselayout-1.8.3 is on CVS .. should get utmp and wtmp ready. xfree-4.2.1 to follow.