[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: a good solution to the libXt problem (really)

There is truth to Herbert's claim about setuid xterm being necessary
in order to change ownership on pseudoterminals.  xterm still
functions without changing the ownership of pseudoterminals, but mesg
will not work and it is possible for anyone to write to a
pseudoterminal without ownership.  Also, if a process if killed with
SIGKILL, the pseudoterminal will remain owned by the previous user.
xterm is functional without setuid.  There are *many* programs besides
xterm which use pseudoterminals and are not setuid root.  Requiring
all of them to be setuid root is a bigger security hole than xterm

Some operating systems require programs to be setuid root in order to
manipulate pseudoterminals.  This is as much of a hack as setuid for
utmp or load calculations.  Fortunately, Linux does not require setuid
programs for pseudoterminals.  To verify this, I run non-setuid xterms
as root and then as kevin, which has no special permissions on my
machine.  I was able to use the same pseudoterminal as first root and
then kevin without any difficulty.  The permissions of the
pseudoterminal changes, but root permission is not needed.  The
pseudoterminals remain owned by root.  When xterm is run as setuid,
the ownership of the pseudoterminal changes. 

I restate my original claim.  On Linux, xterm and xload do not need to
be setuid root.  In fact, they should not be setuid root.  Please try
non-setuid xterm and xload and determine whether there are any
problems.  In any case, running xterm as non-setuid root is less
problematic than running it as setuid root.

Many newer operating systems have dropped the requirement that
programs be setuid root in order to manipulate pseudoterminals.  For
example, SGI made this change about 4 years ago, after many
complaints.  If Linux has not yet made this change, we should push for
it soon.

Herbert Xu <herbert@greathan.apana.org.au> writes:

> Kevin Dalley wrote:
> > 
> > As I remember it, xterm sometimes needs setuid root so that it can
> > modify /var/run/utmp.  If utmp cannot be written, then xterm will
> > still run, but utmp will not be updated.  The program "who" uses
> xterm needs to be root to chown pseudo tty files.


TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to: