Bugtraq mailing list archives
Re: safe logging xterm
From: banz () umbc edu (Robert Banz)
Date: Thu, 16 Mar 1995 17:42:07 -0500 (EST)
On Tue, 14 Mar 1995, Adam Shostack wrote:
Margarita Suarez wrote: | we have modified xterm to make use of the POSIX saved id where possible; | otherwise, it uses setreuid() to switch back and forth between user and | superuser. we provide enable() and disable() functions which swap the | euid and ruid so that the running xterm can give up root and take it | back. | can anyone see a problem with this fix? Yes, it leaves setuid on a program that is way too large. Xterm tends to be setuid so it can write to utmp. Thats a bad reason to make a large program setuid.
Hm. Why not make utmp group "bob" writable, and make xterm setgid "bob"? just an idea... at least it cuts down on what they can do if they somehow 'hack' xterm...the get "bob" access... ---- target LN 220 FM 4P Robert Banz (banz () umbc edu) "I prefer the hands on touch you only UMBC Academic Computing Svcs. get from hired goons." (410) 455-3962 'Mr Burns' http://gl.umbc.edu/~banz ||| |XX| || X X|| | XX|| |X X||X X|| X|
Current thread:
- Re: STROBE v1.01 Super Optimised TCP port surveyor, (continued)
- Re: STROBE v1.01 Super Optimised TCP port surveyor Rodney Campbell (Mar 12)
- Re: STROBE v1.01 Super Optimised TCP port surveyor Scott D. Yelich (Mar 13)
- STROBE mirror Robert M. Haas (Mar 13)
- Re: STROBE mirror Michel Lavondes (Mar 14)
- STROBE 1.02 Julian Assange (Mar 14)
- Re: STROBE 1.02 Neil Woods (Mar 22)
- Sgi Xauthority Strangeness Paul Danckaert (Mar 14)
- xdm and auth on Ultrix 4.4 Walter Zimmer (Mar 14)
- safe logging xterm Margarita Suarez (Mar 14)
- Re: safe logging xterm Adam Shostack (Mar 14)
- Re: safe logging xterm Robert Banz (Mar 16)
- Re: safe logging xterm Adam Shostack (Mar 16)
- Re: safe logging xterm Valdis.Kletnieks () vt edu (Mar 16)
- Re: safe logging xterm Robert M. Haas (Mar 16)
- Re: safe logging xterm Bogdan Pelc (Mar 17)
- Cancel Subscription TechnoInc () aol com (Mar 16)
- Re: Cancel Subscription Anonymous the XXIIV (Mar 16)
- Please help me get off this list Ivan Angus (Mar 17)
- Re: STROBE v1.01 Super Optimised TCP port surveyor Kurt Jaeger aka PI (Mar 13)