Re: suid xterm

To: debian-devel@lists.debian.org
Subject: Re: suid xterm
From: Mark Baker <mbaker@iee.org>
Date: Tue, 31 Mar 1998 12:22:04 +0100
Message-id: <[🔎] 19980331122204.50797@aziraphale.demon.co.uk>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 87n2e81opc.fsf@1Cust120.max37.los-angeles.ca.ms.uu.net>; from Guy Maor on Mon, Mar 30, 1998 at 02:02:23AM -0800
References: <[🔎] 199803300906.TAA27919@gondor.apana.org.au> <[🔎] 87n2e81opc.fsf@1Cust120.max37.los-angeles.ca.ms.uu.net>

On Mon, Mar 30, 1998 at 02:02:23AM -0800, Guy Maor wrote:

> > > Quick question: has there been a discussion of whether a setuid xterm is
> > > a good idea? Is utmp logging worth the perennial xterm security holes?
> > 
> > Yes unless you're willing to let other people see what you type and what is
> > displayed on your screen (oops, there goes my credit card number...)
> 
> Right.  Programs like xterm and rxvt are suid so they can chown your
> pseudo tty, not so they can write to utmp.

That's not a good reason for them to be setuid though: that can be done in a
wrapper. There's one such wrapper on http://www-uxsup.csx.cam.ac.uk/~pjb1008/
(I can't remember the exact page). If there are no problems with this
approach, and I can't think of any, I'd like to see debian doing this (in
slink).

--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Re: suid xterm
  - From: Herbert Xu <herbert@gondor.apana.org.au>
- Re: suid xterm
  - From: Guy Maor <maor@ece.utexas.edu>

Prev by Date: Re: I plan to remove fdisk from the next util-linux
Next by Date: Re: I plan to remove fdisk from the next util-linux
Previous by thread: Re: suid xterm
Next by thread: Archive organization
Index(es):
- Date
- Thread