*BSD News Article 10015


Return to BSD News archive

Received: by minnie.vk1xwt.ampr.org with NNTP
	id AA6996 ; Fri, 15 Jan 93 16:08:03 EST
Xref: sserve comp.unix.bsd:10072 comp.windows.x.i386unix:306
Newsgroups: comp.unix.bsd,comp.windows.x.i386unix
Path: sserve!manuel.anu.edu.au!munnari.oz.au!uunet!zaphod.mps.ohio-state.edu!rpi!jfritz
From: jochen fritz <jfritz@rdrc.rpi.edu>
Subject: Re: xfree86 only works for root?
Message-ID: <h!f32hq@rpi.edu>
Sender: jfritz@ptolemy0.rdrc.rpi.edu
Nntp-Posting-Host: ptolemy0.rdrc.rpi.edu
Organization: Rensselaer Polytechnic Institute, Troy, NY
References: <MfIsYa600WBMM8XVtb@andrew.cmu.edu> <1j0q48INNmq1@matt.ksu.ksu.edu> <1993Jan17.143000.28887@cbnewsh.cb.att.com>
Date: Sun, 17 Jan 1993 22:25:32 GMT
Lines: 33

In article <1993Jan17.143000.28887@cbnewsh.cb.att.com> billc@pegasus.ATT.COM (Bill Carpenter) writes:
>  
                .
		.
		.
		.
>However, there are a couple of other options which my come in handy
>for those in places where it's less convenient to have yet annother
>setUid program.
>
>[1]  On Suns and many other places, /etc/utmp is 0666 perms, so anyone
>can write into it.  I don't know what the security implications are,
>but it cures this xterm problem.
>
>[2]  There is an option for xterm to tell it to not bother trying to
>write in /etc/utmp.  I think it's "-ut", but I don't have the man page
>handy.  (On the other hand, my xterm isn't can't write into /etc/utmp
>and I don't use that option.  Yet, my xterms run without complaining,
>so there may be something to that PTY stuff on your system after all.)
>
There is a third, and IMHO far more iomportant reason: xterm will
chown the slave end of the pty (/dev/ttyp*).  This allows it to then
chmod the pty to rw--w--w-, so that only the user of the xterm can
read from it or send commands to the user's shell to be executed by
him.  This also prevents putting a trojan on the pty to snoop the
user's commands, and allows the user to chmod the terminal 700 if
others are causing problems.

-joe (jfritz@rdrc.rpi.edu)

-- 

-joe      (jfritz@rdrc.rpi.edu)