From owner-freebsd-security  Tue Jan 23 05:44:56 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id FAA17873
          for security-outgoing; Tue, 23 Jan 1996 05:44:56 -0800 (PST)
Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id FAA17852
          for <freebsd-security@freebsd.org>; Tue, 23 Jan 1996 05:44:45 -0800 (PST)
Received: from uucp2.UU.NET by relay5.UU.NET with SMTP 
	id QQzztm01087; Tue, 23 Jan 1996 08:44:35 -0500 (EST)
Received: from uanet.UUCP by uucp2.UU.NET with UUCP/RMAIL
        ; Tue, 23 Jan 1996 08:44:35 -0500
Received: by crocodil.monolit.kiev.ua; Tue, 23 Jan 96 15:42:23 +0200
Received: (from dk@localhost) by dog.farm.org (8.6.11/dk#3) id PAA00906; Tue, 23 Jan 1996 15:00:56 +0200
From: Dmitry Kohmanyuk <dk@dog.farm.org>
Message-Id: <199601231300.PAA00906@dog.farm.org>
Subject: rxvt security hole - proposed fix + more
To: freebsd-security@freebsd.org
Date: Tue, 23 Jan 1996 13:00:56 +0000 ()
Reply-To: dk+@ua.net
X-Class: Fast
X-OS-Of-Choice: FreeBSD 2.0.5-RELEASE
X-NIC-Handle: DK379
X-Mailer: ELM [version 2.4 PL22 dk9]
Content-Type: text
Sender: owner-security@freebsd.org
Precedence: bulk


since now everybody probably knows about it, I wouldn't explain
(just go to linux.announce ;-))

What I have done on my system is make rxvt setgid tty instead of
suid root and make /var/run/wtmp and /var/log/wtmp group-writeable tty.

This also requires modifying /etc/rc:

(cd /var/run && { rm -rf -- *; cp /dev/null utmp; chgrp tty utmp; chmod 664 utmp; })

and adding this line /etc/monthly:

chgrp tty wtmp; chmod g+w wtmp

If you think that tty is a wrong group for user accounting files, it can be 
changed to some other one.

in my 2.0.5 system, only these programs are setgid tty:

/usr/bin/wall
/usr/bin/write
/sbin/dump
/sbin/rdump
/sbin/restore
/sbin/rrestore

(not including screen and rxvt, which I have made setgid tty by hand instead
of setuid root).

And yes I know rxvt have to be fixed to drop its privileges when using
-print-pipe anyway.