The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

a good solution to the libXt problem (really)

After investigating the Xt bug more thoroughly, I modify my previous
suggestion.

The Xt bug is only a security hole when a program is setuid or
setgid.  Obviously setuid or setgid root programs are most seriously.
A quick examination in my /usr/X11R6/bin directory shows the following
programs which are problematic:

xterm
xterm.mono
X
xload
xterm_color

X doesn't matter.

As I remember it, xterm sometimes needs setuid root so that it can
modify /var/run/utmp.  If utmp cannot be written, then xterm will
still run, but utmp will not be updated.  The program "who" uses
utmp.  The program which I have installed as /usr/X11R6/bin/xterm does
not need to be setuid root.  It will run fine and update utmp as 755.
I believe that this xterm is from the xbase package.
xterm-color and xterm-mono from the xterm-color package will not
update umtp if they are 755.

xload, from xcontrib, works fine if it is installed as 755.  It also
does not need to be installed setuid.  For xload, setuid is a hack
useful for some operating systems which need special permissions to
read the load.  This is not necessary on Linux.

In order to release the 3.1 X packages as part of Debian-1.2, I
suggest that we make the following changes:

1.  In the xbase package, the permission of xterm should be set to
755.  This xterm will work fine.

2.  In the xcolor package, change the permission of the 2 xterm
programs to 755.  A bug should be filed against the package that xterm
does not modify utmp.  This is not a show stopper.

3.  In the xcontrib package, the permission of xload should be changed
to 755.

libXt will still have a bug.  Other setuid programs which use libXt
are a potential hole.  Very few programs should be setuid root
anyway.  All of our really important programs will avoid security
issues because of this bug.  They may still crash, but this is
acceptable for the Debian-1.2 release.

Have I missed any setuid programs which use libXt?

I apologize for cc'ing people, but this is an important issue.  I'll
try not to do it again.
-- 
kevin
kevin@aimnet.com


--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com