[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#352303: ITP: gsynaptics -- configuration tool for Synaptics touchpad driver of X

la, 2006-02-11 kello 13:30 +0900, Osamu Aoki kirjoitti:
>  GSynaptics is a configuration tool for Synaptics touchpad driver
>  of X server. Before you use this package, please read
>  /usr/share/doc/gsynaptics/README and configure X server properly.

"Properly" is a bad word to use in this context, since the configuration
in question seems to result in a potential security problem. From the
xfree86-driver-synaptics README.Debian file:

   If you want to be able to change driver parameters without
   restarting the X server, enable the "SHMConfig" option in the X
   configuration file. You can then use the "synclient" program to
   query and modify driver parameters on the fly.
   SECURITY NOTE! This is not secure if you are in an untrusted
   multiuser environment. All local users can change the parameters at 
   any time.

I think it would be fair to add a similar note to the description of the
gsynaptics package.

Note that I'm not saying that this is a serious problem with the
package: in many situations it does not matter if the touchpad settings
can be changed by any local user. For example, on a laptop with only a
single user account, or with many accounts but no way to log in via a
network. These can be an acceptable risk for the ease of configuration.

It is, however, important to notify the person installing the package
about the issue.

Even a bad picture is worth 500 words. --Droidy

Reply to: