Debian bug report logs - #1551 , boring messages ----------------------------------------------------------------------- Message sent to debian-devel@pixar.com: Subject: Bug#1551: Any user can start X on the console Reply-To: Ian Jackson , debian-bugs@pixar.com Resent-From: Ian Jackson Resent-To: debian-devel@pixar.com Resent-Date: Thu, 05 Oct 1995 18:03:03 GMT Resent-Message-ID: Resent-Sender: iwj10@cus.cam.ac.uk X-Debian-PR-Package: xs3 X-Debian-PR-Keywords: Received: via spool for debian-bugs; Thu, 05 Oct 1995 18:03:03 GMT Received: with rfc822 via encapsulated-mail; Thu, 05 Oct 1995 17:53:10 GMT Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0t0uR9-000B2JC; Thu, 5 Oct 95 10:50 PDT Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA18558 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 5 Oct 1995 10:50:01 -0700 Received: by bootes.cus.cam.ac.uk (Smail-3.1.29.0 #36) id m0t0uQu-000BzQC; Thu, 5 Oct 95 18:50 BST Received: by chiark id (Debian /\oo/\ Smail3.1.29.1 #29.33); Thu, 5 Oct 95 18:37 BST Message-Id: Date: Thu, 5 Oct 95 18:37 BST From: Ian Jackson To: Debian bugs submission address Package: xs3 Version: 3.1.2-1 The binary /usr/bin/X11/XF86_S3 (and presumably the other X servers too, though I haven't installed them) is setuid root. This means that any user, even one who was logged in remotely, can start X on the console. This will disrupting the work of the person on the console and might even persuading them to log into a hacked xlogin screen. Individual sysadmins can remove the setuid bit on the X server, but this will be undone when the package is upgraded. Unfortunately removing the setuid bit on the X server in the Debian package will break startx. I propose that a setuid wrapper be created which checks for appropriate conditions (user is on the console, &c) before running X, which should be made non-setuid. It should be possible to configure the wrapper never to start X, for those people who want to use xdm. Ian. ----------------------------------------------------------------------- Message sent: From: iwj10@thor.cam.ac.uk (Ian Jackson) To: Ian Jackson Subject: Bug#1551: Acknowledgement (was: Any user can start X on the console) In-Reply-To: References: Thank you for the problem report you have sent regarding Debian GNU/Linux. This is an automatically generated reply, to let you know your message has been received. It is being forwarded to the developers' mailing list for their attention; they will reply in due course. If you wish to submit further information on your problem, please send it to debian-bugs@pixar.com, but please ensure that the Subject line of your message starts with "Bug#1551" or "Re: Bug#1551" so that we can identify it as relating to the same problem. Please do not reply to the address at the top of this message, unless you wish to report a problem with the bug-tracking system. Ian Jackson (maintainer, debian-bugs) ----------------------------------------------------------------------- Ian Jackson / iwj10@thor.cam.ac.uk , with the debian-bugs tracking mechanism This page last modified 07:43:01 GMT Wed 01 Nov