Debian bug report logs - #1551 Any user can start X on the console Package: xs3 ; Reported by: Ian Jackson ; 26 days old. ----------------------------------------------------------------------- Message received at debian-bugs: From cus.cam.ac.uk!iwj10 Thu Oct 5 10:50:28 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0t0uR9-000B2JC; Thu, 5 Oct 95 10:50 PDT Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA18558 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 5 Oct 1995 10:50:01 -0700 Received: by bootes.cus.cam.ac.uk (Smail-3.1.29.0 #36) id m0t0uQu-000BzQC; Thu, 5 Oct 95 18:50 BST Received: by chiark id (Debian /\oo/\ Smail3.1.29.1 #29.33); Thu, 5 Oct 95 18:37 BST Message-Id: Date: Thu, 5 Oct 95 18:37 BST From: Ian Jackson To: Debian bugs submission address Subject: Any user can start X on the console Package: xs3 Version: 3.1.2-1 The binary /usr/bin/X11/XF86_S3 (and presumably the other X servers too, though I haven't installed them) is setuid root. This means that any user, even one who was logged in remotely, can start X on the console. This will disrupting the work of the person on the console and might even persuading them to log into a hacked xlogin screen. Individual sysadmins can remove the setuid bit on the X server, but this will be undone when the package is upgraded. Unfortunately removing the setuid bit on the X server in the Debian package will break startx. I propose that a setuid wrapper be created which checks for appropriate conditions (user is on the console, &c) before running X, which should be made non-setuid. It should be possible to configure the wrapper never to start X, for those people who want to use xdm. Ian. ----------------------------------------------------------------------- Acknowledgement sent to Ian Jackson : New bug report received and forwarded. Full text available. ----------------------------------------------------------------------- Report forwarded to debian-devel@pixar.com : Bug#1551 ; Package xs3 . Full text available. ----------------------------------------------------------------------- Ian Jackson / iwj10@thor.cam.ac.uk , with the debian-bugs tracking mechanism This page last modified 07:43:01 GMT Wed 01 Nov