Date: Wed, 30 Apr 2003 18:48:40 +0200 (CEST) From: Guido Berhoerster <ich@guido-berhoerster.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/51632: luit from x11/XFree86-4-clients is unusable Message-ID: <200304301648.h3UGmeLX000667@hal.privat.lan> Resent-Message-ID: <200304301650.h3UGoA40055628@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 51632 >Category: ports >Synopsis: luit from x11/XFree86-4-clients is unusable >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Apr 30 09:50:10 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Guido Berhoerster >Release: FreeBSD 4.8-RELEASE i386 >Organization: >Environment: System: FreeBSD hal.privat.lan 4.8-RELEASE FreeBSD 4.8-RELEASE #1: Fri Apr 4 15:35:08 CEST 2003 root@hal.privat.lan:/usr/obj/usr/src/sys/HAL i386 >Description: luit is a small utility which is part of the XFree86 4.3.0 distribution and is installed by the x11/XFree86-4-clients port. luit adds locale and ISO 2022 support to Unicode terminals, most notably xterm. Unfortunately luit will leave the tty world writable if it is not setuid root which renders it unusable on a default install of x11/XFree86-4-clients. This problem is specific to systems without SVR4 ptys like FreeBSD and documented on the manpage: ----snip---- On systems without SVR4 (``Unix-98'') ptys (notably BSD variants), run- ning luit as an ordinary user will leave the tty world-writable; this is a security hole, and luit will generate a warning (but still accept to run). A possible solution is to make luit suid root; luit should drop privileges sufficiently early to make this safe. However, the startup code has not been exhaustively audited, and the author takes no responsibility for any resulting security issues. ----snap---- >How-To-Repeat: For example try to get a xterm with German localization with setenv LANG de_DE.ISO8859-15 setenv MM_CHARSET ISO-8859-15 xterm -lc -fa "Luxi Mono" The resulting xterm prints a warning "Warning: could not change ownership of tty -- pty is insecure!" and the corresponding tty is of course world writable. >Fix: This could be fixed by installing luit setuid root. If this is considered too much of a security risk maybe a switch could be added to the port so that people who need a localized xterm have an option. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200304301648.h3UGmeLX000667>