Bugtraq mailing list archives

Re: safe logging xterm

From: adam () bwh harvard edu (Adam Shostack)
Date: Tue, 14 Mar 1995 16:46:16 -0500 (EST)


Margarita Suarez wrote:

| we have modified xterm to make use of the POSIX saved id where possible;
| otherwise, it uses setreuid() to switch back and forth between user and
| superuser.  we provide enable() and disable() functions which swap the
| euid and ruid so that the running xterm can give up root and take it
| back.

| can anyone see a problem with this fix?

Yes, it leaves setuid on a program that is way too large.  Xterm tends
to be setuid so it can write to utmp.  Thats a bad reason to make a
large program setuid.

Adam

Current thread:

Re: STROBE v1.01 Super Optimised TCP port surveyor, (continued)
- - - Re: STROBE v1.01 Super Optimised TCP port surveyor John Studarus (Mar 12)
    - Re: STROBE v1.01 Super Optimised TCP port surveyor Rodney Campbell (Mar 12)
    - Re: STROBE v1.01 Super Optimised TCP port surveyor Scott D. Yelich (Mar 13)
    - STROBE mirror Robert M. Haas (Mar 13)
    - Re: STROBE mirror Michel Lavondes (Mar 14)
    - STROBE 1.02 Julian Assange (Mar 14)
    - Re: STROBE 1.02 Neil Woods (Mar 22)
    - Sgi Xauthority Strangeness Paul Danckaert (Mar 14)
    - xdm and auth on Ultrix 4.4 Walter Zimmer (Mar 14)
    - safe logging xterm Margarita Suarez (Mar 14)
    - Re: safe logging xterm Adam Shostack (Mar 14)
    - Re: safe logging xterm Robert Banz (Mar 16)
    - Re: safe logging xterm Adam Shostack (Mar 16)
    - Re: safe logging xterm Valdis.Kletnieks () vt edu (Mar 16)
    - Re: safe logging xterm Robert M. Haas (Mar 16)
    - Re: safe logging xterm Bogdan Pelc (Mar 17)
    - Cancel Subscription TechnoInc () aol com (Mar 16)
    - Re: Cancel Subscription Anonymous the XXIIV (Mar 16)
    - Please help me get off this list Ivan Angus (Mar 17)
    - Re: STROBE v1.01 Super Optimised TCP port surveyor Kurt Jaeger aka PI (Mar 13)
  - Re: sigh. another Irix 5.2 hole. Christopher Klaus (Mar 08)

(Thread continues...)