Re: XFree86 insecurity

Czako Krisztian (slapic@FIDO.HU)
Sat, 22 Nov 1997 02:50:31 +0100

-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 21 Nov 1997, shegget wrote:

> Program: XF86_*, the XFree86 servers (XF86_SVGA, XF86_VGA16, ...)
> Version: Tested on XFree86 3.3.1 (current), 3.2.9 and 3.1.2.
> Other versions as well.
> OS: All

Except Debian Linux, where the X servers aren't setuid root!

> Impact: The XFree86 servers let you specify an alternate configuration
> file and do not check whether you have rights to read it.
> Any user can read files with root permissions.

One more reason to use Debian :)

On my Debian 1.3.1 + hamm upgarde (XFree86 3.3.1):
bash-2.00$ ls -l /usr/X11R6/bin/X*
- -rwsr-xr-x 1 root root 4728 Oct 18 06:58 /usr/X11R6/bin/X
- -rwxr-xr-x 1 root root 820544 Jun 20 16:41 /usr/X11R6/bin/XF86Setup
- -rwxr-xr-x 1 root root 2313580 Jul 17 15:33 /usr/X11R6/bin/XF86_S3
- -rwxr-xr-x 1 root root 1816864 Jun 20 16:41 /usr/X11R6/bin/XF86_VGA16

bash-2.00$ cd /usr/X11R6/bin/
bash-2.00$ ./X
X: you are not authorised to run the X server

bash-2.00$ dpkg -S /usr/X11R6/bin/X
xbase: /usr/X11R6/bin/X

So I suggest using this wrapper on all systems where possible.
Another solution can be running xdm, and make xdm to start the X server.
In this case you don't need the X server to be setuid root.

Slapic

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1

iQCVAgUBNHY6bD1bHc+WqbNdAQGRCgQAqFhmY0ZagWuLeOa9JbG1/CS+O00TiGBy
Y6FBAFtiR/Eem6/xA85XYgoI2b6gGlh3LyDNGmalLsk0moNI8yRfmNh6LNZAK2GB
PjbvoAg4CrQN3D3XTuEGuu7+M5D3yXaNz0ErvYDwAjBJRC45zJqWweQeKYezsaKn
9QjgCP7bw9Y=
=FDkj
-----END PGP SIGNATURE-----