Re: Need help (building ncurses-4.2)

To: Debian GNU/Hurd list <debian-hurd@lists.debian.org>
Subject: Re: Need help (building ncurses-4.2)
From: Santiago Vila <sanvila@unex.es>
Date: Tue, 3 Nov 1998 18:48:50 +0100 (CET)
Message-id: <[🔎] Pine.LNX.3.96.981103184502.1991A-100000@cantor.unex.es>
In-reply-to: <[🔎] 199811031738.MAA08694@baalperazim.frob.com>

> > Once I fixed that, it "almost worked": Now I have a portability problem.
> > The Debian version uses setfsuig and setfsgid, to solve a security
> > problem, I think.
> 
> Can you ascertain what the actual purpose here is?  i.e. how are these
> calls used and what is the supposed problem being solved by using these
> calls?

They are used to fix a security problem.

As Mark Kettenis has explained to me, "ncurses looks at the
TERMINFO variable to allow the user to specify their own terminfo
database. For setuid programs this opens the possibility to read
arbitrary files, which of course is not good."

He also suggested to ignore such environment variables if uid != euid,
as done in libc6.

-- 
 "3e07f5bbfc03e0af04abcda88afd9641" (a truly random sig)

Reply to:

References:
- Re: Need help (building ncurses-4.2)
  - From: Roland McGrath <roland@frob.com>

Prev by Date: Re: Need help (building ncurses-4.2)
Next by Date: successful install
Previous by thread: Re: Need help (building ncurses-4.2)
Next by thread: Re: Need help (building ncurses-4.2)
Index(es):
- Date
- Thread