Date: Sat, 28 Oct 2000 17:26:51 -0700 From: Kris Kennaway <kris@citusc.usc.edu> To: Jean-Marc Zucconi <jmz@FreeBSD.org> Cc: Kris Kennaway <kris@citusc.usc.edu>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, taguchi@tohoku.iij.ad.jp Subject: Re: cvs commit: ports/x11/XFree86-4 pkg-message Makefile pkg-install ports/x11/XFree86-4/files patch-config_cf_Server_tmpl Message-ID: <20001028172651.A85789@citusc17.usc.edu> In-Reply-To: <200010290006.RAA33002@freefall.freebsd.org>; from jmz@FreeBSD.org on Sat, Oct 28, 2000 at 05:06:14PM -0700 References: <200010282311.QAA13532@freefall.freebsd.org> <20001028164136.A82537@citusc17.usc.edu> <200010290006.RAA33002@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Oct 28, 2000 at 05:06:14PM -0700, Jean-Marc Zucconi wrote: > >> Install the X server without the SUID bit, remove the warning about the > >> possible insecurity of this, and inform users about the x11/wrapper port. > > > It should depend on the wrapper port by default - otherwise it's not > > useful:-) > > If the server is used with xdm, the suid bit is not required. And some > people don't need a high level of security - after all no > vulnerability has been found in the X server yet :-) Incorrect - there was a local root hole precisely because the 4.0 server lost the wrapper which used to be there in 3.3.6 and performed input validation. xwrapper doesnt have any downsides - it just restores the 3.3.6 behaviour which was removed by the developers. As it stands the port won't be useful out of the box unless the user a) runs xdm, b) runs it as root, which increases the impact of any runtime security holes in things they run, like "desktop environments", or c) add back the setuid bit and defeat the purpose of the commit. > > Don't forget to do the XFree86-4-Server ports too (weren't we planning > > to make XFree86-4 into a metaport around these other ones so these > > changes only need to be applied once?) > > I am not the maintainer of the XFree86-4-Server ports :-) > [Cc'ed: to Taguchi Takeshi] IMO, that is a problem - I think there have been other important changes to the XFree86-4 port which have not been mirrored in the fragment ports. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001028172651.A85789>