Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vulnerability in the Xt library

From: casper () holland Sun COM (Casper Dik)
Date: Mon, 26 Aug 1996 09:13:10 +0200


Or fix xterm such that it doesn't need to be setuid.  This usually
involves hacking the kernel to have saner defaults than are present in
the BSD kernel.  If you could create a pseudo device that was owned by
the user creating it, xterm wouldn't need to be setuid, if my look at
the source and conversations I've had with others that understood
xterm better than I.



System V ptys have this advantage, apart from being much easier to use
and being much more efficient (youdont' need to sewarch for one open
device, you just get  one from the kernel).

In Solaris 2.x, there are two programs that handle all of xterms needs:

        /usr/lib/pt_chmod       - for setting the ownership of a pty
        /usr/lib/utmp_update    - for updating utmp/wtmp files.

Consequently, Solaris 2.x xterm is not set-uid root.

(SunOS 4.x xterm wasn't set-uid either but it relied on a mode 666 utmp
file [bad] and kept your tty owned by rot [worse]


This doesn't mean that one shouldn't fix libXt, just that xterm,
although careful generally, shouldn't need to be setuid root (in an
ideal world).



Obviously we need to fix libXt.   I'm actually quiet appalted that the
X consortium introduced a new buffer overflow in XOpenDisplay in R6.

Casper
Previous By Date Next
Previous By Thread Next

Current thread: