Debian bug report logs - #1551
Any user can start X on the console

Message received at debian-bugs:

From cus.cam.ac.uk!iwj10 Thu Oct  5 10:50:28 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t0uR9-000B2JC; Thu, 5 Oct 95 10:50 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA18558
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 5 Oct 1995 10:50:01 -0700
Received: by bootes.cus.cam.ac.uk 
	(Smail-3.1.29.0 #36) id m0t0uQu-000BzQC; Thu, 5 Oct 95 18:50 BST
Received: by chiark
	id <m0t0uEz-0002aIZ@chiark.al.cl.cam.ac.uk>
	(Debian /\oo/\ Smail3.1.29.1 #29.33); Thu, 5 Oct 95 18:37 BST
Message-Id: <m0t0uEz-0002aIZ@chiark.al.cl.cam.ac.uk>
Date: Thu, 5 Oct 95 18:37 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
To: Debian bugs submission address <debian-bugs@pixar.com>
Subject: Any user can start X on the console

Package: xs3
Version: 3.1.2-1

The binary /usr/bin/X11/XF86_S3 (and presumably the other X servers
too, though I haven't installed them) is setuid root.

This means that any user, even one who was logged in remotely, can
start X on the console.  This will disrupting the work of the person
on the console and might even persuading them to log into a hacked
xlogin screen.

Individual sysadmins can remove the setuid bit on the X server, but
this will be undone when the package is upgraded.

Unfortunately removing the setuid bit on the X server in the Debian
package will break startx.

I propose that a setuid wrapper be created which checks for
appropriate conditions (user is on the console, &c) before running X,
which should be made non-setuid.  It should be possible to configure
the wrapper never to start X, for those people who want to use xdm.

Ian.