Debian bug report logs - #1551, boring messages

Message sent to debian-devel@pixar.com:


Subject: Bug#1551: Any user can start X on the console
Reply-To: Ian Jackson <iwj10@cus.cam.ac.uk>, debian-bugs@pixar.com
Resent-From: Ian Jackson <iwj10@cus.cam.ac.uk>
Resent-To: debian-devel@pixar.com
Resent-Date: Thu, 05 Oct 1995 18:03:03 GMT
Resent-Message-ID: <debian-bugs-handler.1551.B10051753120@pixar.com>
Resent-Sender: iwj10@cus.cam.ac.uk
X-Debian-PR-Package: xs3
X-Debian-PR-Keywords: 
Received: via spool for debian-bugs; Thu, 05 Oct 1995 18:03:03 GMT
Received: with rfc822 via encapsulated-mail; Thu, 05 Oct 1995 17:53:10 GMT
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t0uR9-000B2JC; Thu, 5 Oct 95 10:50 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA18558
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 5 Oct 1995 10:50:01 -0700
Received: by bootes.cus.cam.ac.uk
	(Smail-3.1.29.0 #36) id m0t0uQu-000BzQC; Thu, 5 Oct 95 18:50 BST
Received: by chiark
	id <m0t0uEz-0002aIZ@chiark.al.cl.cam.ac.uk>
	(Debian /\oo/\ Smail3.1.29.1 #29.33); Thu, 5 Oct 95 18:37 BST
Message-Id: <m0t0uEz-0002aIZ@chiark.al.cl.cam.ac.uk>
Date: Thu, 5 Oct 95 18:37 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
To: Debian bugs submission address <debian-bugs@pixar.com>

Package: xs3
Version: 3.1.2-1

The binary /usr/bin/X11/XF86_S3 (and presumably the other X servers
too, though I haven't installed them) is setuid root.

This means that any user, even one who was logged in remotely, can
start X on the console.  This will disrupting the work of the person
on the console and might even persuading them to log into a hacked
xlogin screen.

Individual sysadmins can remove the setuid bit on the X server, but
this will be undone when the package is upgraded.

Unfortunately removing the setuid bit on the X server in the Debian
package will break startx.

I propose that a setuid wrapper be created which checks for
appropriate conditions (user is on the console, &c) before running X,
which should be made non-setuid.  It should be possible to configure
the wrapper never to start X, for those people who want to use xdm.

Ian.

Message sent:


From: iwj10@thor.cam.ac.uk (Ian Jackson)
To: Ian Jackson <iwj10@cus.cam.ac.uk>
Subject: Bug#1551: Acknowledgement (was: Any user can start X on the console)
In-Reply-To: <m0t0uEz-0002aIZ@chiark.al.cl.cam.ac.uk>
References: <m0t0uEz-0002aIZ@chiark.al.cl.cam.ac.uk>

Thank you for the problem report you have sent regarding Debian GNU/Linux.
This is an automatically generated reply, to let you know your message has
been received.  It is being forwarded to the developers' mailing list for
their attention; they will reply in due course.

If you wish to submit further information on your problem, please send
it to debian-bugs@pixar.com, but please ensure that the Subject
line of your message starts with "Bug#1551" or "Re: Bug#1551" so that
we can identify it as relating to the same problem.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Ian Jackson
(maintainer, debian-bugs)
Ian Jackson / iwj10@thor.cam.ac.uk, with the debian-bugs tracking mechanism
This page last modified 07:43:01 GMT Wed 01 Nov