Debian Bug report logs - #7112
xterm: xterm is setuid root

version graph

Package: xterm; Maintainer for xterm is Debian X Strike Force <debian-x@lists.debian.org>; Source for xterm is src:xterm.

Reported by: Matt Zimmerman <mdz@csh.rit.edu>

Date: Tue, 4 Feb 1997 20:03:03 UTC

Severity: normal

Fixed in version xfree86-1/3.3.4-1

Done: Branden Robinson <branden@ecn.purdue.edu>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Stephen Early <sde1000@debian.org>:
Bug#7112; Package xbase. Full text and rfc822 format available.

Acknowledgement sent to Bo Branten <bosse@ing.umu.se>:
New bug report received and forwarded. Copy sent to Stephen Early <sde1000@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bo Branten <bosse@ing.umu.se>
To: submit@bugs.debian.org
Subject: xterm is unnesesary suid to root
Date: Tue, 4 Feb 1997 20:51:23 +0100 (MET)
Package: xbase
Version: 3.2-1.1

In debian xterm is suid to root. There are no reason for that since it can
get write access to the neded log files (/var/log/wtmp, /var/log/lastlog
and /var/run/utmp) with a proper sgid and group write access for the
log files.

A program should never be suid if it can be done with just sgid.


	/Bo Branten




Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Early <sde1000@debian.org>:
Bug#7112; Package xbase. Full text and rfc822 format available.

Acknowledgement sent to Ian Jackson <ian@chiark.greenend.org.uk>:
Extra info received and forwarded to list. Copy sent to Stephen Early <sde1000@debian.org>. Full text and rfc822 format available.

Message #10 received at 7112@bugs.debian.org (full text, mbox):

From: Ian Jackson <ian@chiark.greenend.org.uk>
To: 7112@bugs.debian.org
Subject: Bug#7112: xterm is unnesesary suid to root
Date: Fri, 7 Feb 97 18:59 GMT
Bo Branten:
> In debian xterm is suid to root. There are no reason for that since it can
> get write access to the neded log files (/var/log/wtmp, /var/log/lastlog
> and /var/run/utmp) with a proper sgid and group write access for the
> log files.

No, xterm needs to be setuid root in order to do tty/pty allocation in
a way that results in a secure session inside the xterm.

When a general solution to this problem is available then xterm should
use it, but until then it should remail setuid root.

I'm retitling this bug and merging it with #988, in which I reported
that `script' is insecure (because it isn't setuid root - and isn't
written to be - and so can't do proper pty allocation).

Ian.


Changed bug title. Request was from Ian Jackson <ian@chiark.greenend.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `xbase' to `general'. Request was from Ian Jackson <ian@chiark.greenend.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 988 7112. Request was from Ian Jackson <ian@chiark.greenend.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-devel@lists.debian.org:
Bug#7112; Package general. Full text and rfc822 format available.

Acknowledgement sent to remco@blaakmeer.student.utwente.nl (Remco Blaakmeer):
Extra info received and forwarded to maintainer. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #21 received at 7112-maintonly@bugs.debian.org (full text, mbox):

From: remco@blaakmeer.student.utwente.nl (Remco Blaakmeer)
To: 7112-maintonly@bugs.debian.org
Subject: Old bugs need to be looked at
Date: Sun, 1 Feb 1998 12:30:52 +0100 (CET)
This is an automated message sent to all bugs older than one year.

This bug is very old. Please take a look at it and see if you can fix it.
If it has already been fixed, please close it.

If you have problems fixing it or if you don't have the time to fix it,
please ask the people on debian-devel@lists.debian.org for help, so that
at least the oldest bugs can be solved before Debian 2.0 is released.

Remco Blaakmeer


Disconnected #7112 from all other report(s). Request was from Brian White <bcwhite@verisim.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#7112; Package general. Full text and rfc822 format available.

Acknowledgement sent to Brian White <bcwhite@verisim.com>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #28 received at 7112@bugs.debian.org (full text, mbox):

From: Brian White <bcwhite@verisim.com>
To: 7112@bugs.debian.org, xbase@packages.debian.org
Cc: control@bugs.debian.org
Subject: bug reassignment
Date: Thu, 19 Feb 1998 14:58:35 -0500
reassign 7112 xbase
-- 

This bug was assigned to "general" and hence was getting completely
forgotten about.  I'm reassigning it back to xbase, since that is where
the complaint lies.  If this has been solved, please close this bug.

                                          Brian
                                 ( bcwhite@verisim.com )

-------------------------------------------------------------------------------
       Touch passion when it comes your way.  It's rare enough as it is;
       don't walk away when it calls you by name.  -- Marcus (Babylon 5)




Bug reassigned from package `general' to `xbase'. Request was from Brian White <bcwhite@verisim.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `xbase' to `xterm'. Request was from Branden Robinson <branden@ecn.purdue.edu> to control@bugs.debian.org. Full text and rfc822 format available.

Changed bug title. Request was from Branden Robinson <branden@ecn.purdue.edu> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Branden Robinson <branden@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Bo Branten <bosse@ing.umu.se>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #39 received at 7112-close@bugs.debian.org (full text, mbox):

From: Branden Robinson <branden@debian.org>
To: 7112-submitter@bugs.debian.org
Subject: Bug#7112: fixed in xfree86-1 3.3.4-1
Date: 27 Aug 1999 18:56:02 -0000
We believe that the bug you reported is fixed in the latest version of
xfree86-1, which has been installed in the Debian FTP archive:
xlib6g_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xlib6g_3.3.4-1.deb
  replacing xlib6g_3.3.3.1-10.deb
xserver-svga_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xserver-svga_3.3.4-1.deb
  replacing xserver-svga_3.3.3.1-10.deb
xserver-mach8_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xserver-mach8_3.3.4-1.deb
  replacing xserver-mach8_3.3.3.1-10.deb
xterm_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xterm_3.3.4-1.deb
  replacing xterm_3.3.3.1-10.deb
xfs_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xfs_3.3.4-1.deb
  replacing xfs_3.3.3.1-10.deb
xlib6-altdev_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/oldlibs/xlib6-altdev_3.3.4-1.deb
  replacing xlib6-altdev_3.3.3.1-10.deb
xvfb_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xvfb_3.3.4-1.deb
  replacing xvfb_3.3.3.1-10.deb
xsm_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xsm_3.3.4-1.deb
  replacing xsm_3.3.3.1-10.deb
twm_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/twm_3.3.4-1.deb
  replacing twm_3.3.3.1-10.deb
xserver-mach32_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xserver-mach32_3.3.4-1.deb
  replacing xserver-mach32_3.3.3.1-10.deb
xproxy_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xproxy_3.3.4-1.deb
  replacing xproxy_3.3.3.1-10.deb
xserver-agx_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xserver-agx_3.3.4-1.deb
  replacing xserver-agx_3.3.3.1-10.deb
xserver-mach64_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xserver-mach64_3.3.4-1.deb
  replacing xserver-mach64_3.3.3.1-10.deb
xserver-i128_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xserver-i128_3.3.4-1.deb
  replacing xserver-i128_3.3.3.1-10.deb
xbase_3.3.4-1_all.deb
  to dists/potato/main/binary-all/x11/xbase_3.3.4-1.deb
  replacing xbase_3.3.3.1-10.deb
rstartd_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/rstartd_3.3.4-1.deb
  replacing rstartd_3.3.3.1-10.deb
xlib6_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/oldlibs/xlib6_3.3.4-1.deb
  replacing xlib6_3.3.3.1-10.deb
xfree86-1_3.3.4-1.dsc
  to dists/potato/main/source/x11/xfree86-1_3.3.4-1.dsc
  replacing xfree86-1_3.3.3.1-10.dsc
xfree86-common_3.3.4-1_all.deb
  to dists/potato/main/binary-all/x11/xfree86-common_3.3.4-1.deb
  replacing xfree86-common_3.3.3.1-10.deb
xmh_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/mail/xmh_3.3.4-1.deb
  replacing xmh_3.3.3.1-10.deb
xprt_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xprt_3.3.4-1.deb
  replacing xprt_3.3.3.1-10.deb
xserver-8514_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xserver-8514_3.3.4-1.deb
  replacing xserver-8514_3.3.3.1-10.deb
xbase-clients_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xbase-clients_3.3.4-1.deb
  replacing xbase-clients_3.3.3.1-10.deb
xnest_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xnest_3.3.4-1.deb
  replacing xnest_3.3.3.1-10.deb
xserver-3dlabs_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xserver-3dlabs_3.3.4-1.deb
  replacing xserver-3dlabs_3.3.3.1-10.deb
xserver-mono_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xserver-mono_3.3.4-1.deb
  replacing xserver-mono_3.3.3.1-10.deb
xserver-p9000_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xserver-p9000_3.3.4-1.deb
  replacing xserver-p9000_3.3.3.1-10.deb
xlib6g-dev_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xlib6g-dev_3.3.4-1.deb
  replacing xlib6g-dev_3.3.3.1-10.deb
xserver-s3v_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xserver-s3v_3.3.4-1.deb
  replacing xserver-s3v_3.3.3.1-10.deb
xserver-w32_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xserver-w32_3.3.4-1.deb
  replacing xserver-w32_3.3.3.1-10.deb
xlib6-static_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/oldlibs/xlib6-static_3.3.4-1.deb
  replacing xlib6-static_3.3.3.1-10.deb
xfree86-1_3.3.4-1.diff.gz
  to dists/potato/main/source/x11/xfree86-1_3.3.4-1.diff.gz
  replacing xfree86-1_3.3.3.1-10.diff.gz
xf86setup_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xf86setup_3.3.4-1.deb
  replacing xf86setup_3.3.3.1-10.deb
rstart_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/rstart_3.3.4-1.deb
  replacing rstart_3.3.3.1-10.deb
xlib6g-static_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xlib6g-static_3.3.4-1.deb
  replacing xlib6g-static_3.3.3.1-10.deb
xserver-vga16_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xserver-vga16_3.3.4-1.deb
  replacing xserver-vga16_3.3.3.1-10.deb
xserver-s3_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xserver-s3_3.3.4-1.deb
  replacing xserver-s3_3.3.3.1-10.deb
xserver-fbdev_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xserver-fbdev_3.3.4-1.deb
  replacing xserver-fbdev_3.3.3.1-10.deb
xserver-common_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xserver-common_3.3.4-1.deb
  replacing xserver-common_3.3.3.1-10.deb
xfree86-1_3.3.4.orig.tar.gz
  to dists/potato/main/source/x11/xfree86-1_3.3.4.orig.tar.gz
  replacing xfree86-1_3.3.3.1.orig.tar.gz
xdm_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xdm_3.3.4-1.deb
  replacing xdm_3.3.3.1-10.deb
xext_3.3.4-1_i386.deb
  to dists/potato/main/binary-i386/x11/xext_3.3.4-1.deb
  replacing xext_3.3.3.1-10.deb

Note that this package is not part of the released stable Debian
distribution.  It may have dependencies on other unreleased software,
or other instabilities.  Please take care if you wish to install it.
The update will eventually make its way into the next released Debian
distribution.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 7112@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Branden Robinson <branden@debian.org> (supplier of updated xfree86-1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----

Format: 1.6
Date: Wed, 25 Aug 1999 21:16:27 -0500
Source: xfree86-1
Binary: xfree86-common xserver-i128 xserver-common xlib6 xext xserver-xsun xserver-svga xmh xprt xserver-8514 xterm xbase xserver-p9000 xsm xserver-tga twm xlib6g-dev xlib6-static xserver-agx xf86setup xserver-mach64 rstart xserver-vga16 xlib6g-static xserver-s3 xserver-fbdev rstartd xdm xlib6g xserver-mach8 xserver-xsun24 xserver-xsun-mono xfs xnest xlib6-altdev xbase-clients xserver-3dlabs xserver-mono xvfb xserver-w32 xserver-s3v xserver-mach32 xproxy
Architecture: source i386 all
Version: 3.3.4-1
Distribution: unstable
Urgency: low
Maintainer: Branden Robinson <branden@debian.org>
Description: 
 rstart     - remote start client
 rstartd    - remote start daemon
 twm        - Tab window manager
 xbase      - XFree86 upgrade convenience package
 xbase-clients - miscellaneous X clients
 xdm        - X display manager
 xext       - extensions to X servers
 xf86setup  - X server configuration tools
 xfree86-common - X Window System (XFree86) infrastructure
 xfs        - X font server
 xlib6      - shared libraries required by libc5 X clients
 xlib6-altdev - include files and libraries for libc5 X client development
 xlib6-static - statically linked versions of the libraries in xlib6
 xlib6g     - shared libraries required by X clients
 xlib6g-dev - include files and libraries for X client development
 xlib6g-static - statically linked versions of the libraries in xlib6g
 xmh        - X interface to MH mail system
 xnest      - nested X server
 xproxy     - X proxy services
 xprt       - X print server
 xserver-3dlabs - X server for 3DLabs GLINT and Permedia-based graphics cards
 xserver-8514 - X server for ATI 8514/A-based graphics cards
 xserver-agx - X server for IBM XGA and IIT AGX-based graphics cards
 xserver-common - files and utilities common to all X servers
 xserver-fbdev - X server for framebuffer-based graphics drivers
 xserver-i128 - X server for Number Nine Imagine 128 graphics cards
 xserver-mach32 - X server for ATI Mach32-based graphics cards
 xserver-mach64 - X server for ATI Mach64-based graphics cards
 xserver-mach8 - X server for ATI Mach8-based graphics cards
 xserver-mono - X server for monochrome graphics cards and/or monitors
 xserver-p9000 - X server for Weitek P9000-based graphics cards
 xserver-s3 - X server for S3 chipset-based graphics cards
 xserver-s3v - X server for S3 ViRGE and ViRGE/VX-based graphics cards
 xserver-svga - X server for SVGA graphics cards
 xserver-vga16 - X server for VGA graphics cards
 xserver-w32 - X server for Tseng ET4000/W32 and ET6000-based graphics cards
 xsm        - X session manager
 xterm      - X terminal emulator
 xvfb       - virtual framebuffer X server
Closes: 7112 16350 28582 33129 41229 41375 42536 42606
Changes: 
 xfree86-1 (3.3.4-1) unstable; urgency=low
 .
   * New upstream version.
   * Upstream moved the X library manpages to the second source tarball, so
     this source package no longer builds the xmanpages package.
   * patches #000,000a,001,004,005,006,007,013,014 regenerated against new
     upstream source (000-007 thanks to Adam Heath)
   * old patches #002,003,012,016,017,018,019 are now upstream; deleted
   * old patch #011 now unneeded (xterm now setgid utmp)
   * old patch #015 dropped; upstream now recognizes ru_SU locale as
     obsolete; not sure if ru_SU should really be an alias for ru_RU.KOI8-R
     anyway
   * old patch #018a dropped due to changes in upstream mach64im.c
   * patch #000a: explicitly turn off 77C32 accelerated framebuffer support
     for m68k
   * patch #000b: do not attempt to build in the doc/ or fonts/ directories
   * patch #001a: started to split non-server SPARC Linux support patches off
   * patch #008: re-generated against new upstream source; dropped patches
     to mach64im.c; endianness awareness is now present upstream, though
     implemented differently
   * patch #009: Tom Dickey's xterm patch #113
   * patch #011: changed Imakefiles to work around alleged egcs optimization
     breakage of netscape (Adam Heath)
   * patch #012: more careful handling of xauth cookies (Closes: #16350)
   * patch #015: renumbered from 018b
   * patch #016: renumbered from 020
   * patch #017: renumbered from 021 and un-preprocessed
   * patch #018: renumbered from 022
   * patch #019: renumebred from 023
   * patch #020: renumebred from 024
   * patch #021: patch from Ryuichi Arafune to xc/lib/X11/imDefIm.c
   * patch #022: patch from Changwoo Ryu to xc/nls/XLC_LOCALE/ko
   * patch #023: correct paths to utmp and wtmp files in xterm manpage
     (Closes: #41229)
   * debian/control:
     - removed xmanpages control data
     - bumped all dependencies on xserver-common to (>= 3.3.4)
     - twm Provides: x-window-manager (Closes: #28582)
     - xbase-clients Depends: cpp (xrdb needs it) (Closes: #42606)
     - xbase-clients Conflicts: xaw-wrappers (<< 0.90) per Joey Hess
       (Closes: #41375)
     - updated xext extended description with new supported XInput devices
     - xfree86-common Replaces: xmanpages (<< 3.3.4-1)
     - xterm Provides: x-terminal-emulator (Closes: #33129)
   * debian/copyright:
     - updated to version 3.3.4
     - All changes to XFree86 are copyright Software in the Public Interest,
       Inc., and licensed under MIT terms unless otherwise noted.
   * debian/create-indep-xfree86-common:
     - install X, XConsortium, XStandards, and Xsecurity manpages borrowed
       from xfree86-2 source package
     - get rid of X.1x manpage; it's fine as X.3x
   * debian/create-indep-xmanpages: deleted
   * debian/libc5.{Imakefile,site.def,xfree86.cf}.diff: new files; new way
     of handling build changes for libc5 compatibility packages
   * debian/libc5.site.def.diff: #define BaseShLibReqs -lc even though the
     comments in config/cf/lnxLib.rules say not to; the omission is actually
     for pathological cases like people trying to use X clients with shared
     profiling versions of libc5; since that is really damn unlikely on
     potato Debian boxen, and since we need the linker to find the right C
     Library in our multiple-libc environment, we go where angels fear to
     tread and switch on -lc for the libc5-compatibility X libraries.
     Besides, turning on -lc is Policy.
   * debian/rules:
     - s/\$\(dpkg/$(shell dpkg/ ARCH handling has been busted for ages because
       of this (Adam Heath)
     - New DEB_BUILD_* cross-compiling setup was messing up the tests for
       building libc5.  Fixed in debian/scripts/archmap.  archmap is only
       used to simplify the tests in the rules file for libc5 builds.  Also,
       for unknown hysterical reasons, DEB_BUILD_* uses i386, but we need
       /usr/i486-linuxlibc1/bin, and archmap takes care of this. (Adam Heath)
     - conditionalized some copying of xterm stuff so it doesn't presume Thomas
       Dickey's patches have been applied
     - stampdir targets should only depend on other stampdir targets (Adam
       Heath)
     - copy and patch files that need to change for the libc5 build, instead
       of the old way of having old files lying around in debian/
   * debian/setperms: removed reference to create-indep-xmanpages
   * debian/shlibs.local: bumped up to 3.3.4-1
   * debian/scripts/*: some cosmetic and very minor functional changes
   * debian/twm/postinst: add update-alternatives for x-window-manager
   * debian/twm/prerm: new file; add update-alternatives for x-window-manager
   * debian/xbase-clients/prerm: new file; moved update-alternatives call
     from postrm to here
   * debian/xdm/README.Debian: updated to reflect Xaccess change
   * debian/xdm/Xaccess: turned off all remote XDMCP access by default, for
     paranoid security reasons; this will not affect people running xdm and
     the X server on the same physical host
   * debian/xfree86-common/FAQ:
     - updated Project Athena info, thanks to Kevin Theobald
     - added question about X servers that can't find the "fixed" font
   * debian/xfree86-common/XFree86-FAQ.html: updated to latest version
   * debian/xfree86-common/{X,XConsortium,XStandards,Xsecurity}.3x: manpages
     borrowed from xfree86-2 source package
   * debian/xfree86-common/Xsession: updated to use new alternatives
     /usr/bin/x-window-manager and /usr/bin/x-terminal-emulator
   * debian/xfree86-common/Xsession.5: update to reflect new Xsession
     behavior
   * debian/{xlib6,xlib6g}/shlibs: bumped up to 3.3.4-1
   * debian/xserver-common/xserver-configure: fixed failure to actually
     prompt whether the X server worked or not (thanks, Darren Stadler)
     (Closes: #42536)
   * debian/xterm/postinst:
     - for systems with utmp group, install xterm setgid utmp, otherwise
       setuid root (Closes: #7112,12261)
     - add update-alternatives for x-terminal-emulator
   * debian/xterm/prerm: add update-alternatives for x-terminal-emulator
Files: 
 db98665bfa096bc725dc023341a3644e 1117 x11 optional xfree86-1_3.3.4-1.dsc
 e525fcd309db4e16f80f47b4a6b774e6 16953992 x11 optional xfree86-1_3.3.4.orig.tar.gz
 917c5efdbb8f5dc74f25521eb26e9762 690017 x11 optional xfree86-1_3.3.4-1.diff.gz
 d061cfaa1d7fd85ccbbe3adade998fe4 40486 x11 optional rstart_3.3.4-1_i386.deb
 d2762389362c0a1e911b376fd9260ddf 51256 x11 optional rstartd_3.3.4-1_i386.deb
 4a9ddff54d88c21cede4cc2ed356c286 117778 x11 optional twm_3.3.4-1_i386.deb
 f62915fb44aa30352205046e08f45037 944440 x11 optional xbase-clients_3.3.4-1_i386.deb
 7c7ab68e84093587d8d325312d056495 109706 x11 optional xdm_3.3.4-1_i386.deb
 bd0410f217d1259df9ddabb771b2db3b 455064 x11 optional xext_3.3.4-1_i386.deb
 2d5d0f3eaf7239ebbf6b3b54228dfa73 221470 x11 optional xf86setup_3.3.4-1_i386.deb
 b865e9f5ca0a797008bc8c94d0466e02 189508 x11 optional xfs_3.3.4-1_i386.deb
 c8ea16580662b044b4f7729f73b5aa28 975816 x11 standard xlib6g_3.3.4-1_i386.deb
 ca90c784549fb849794e022d90a75f60 1540530 x11 optional xlib6g-dev_3.3.4-1_i386.deb
 4eabc14e7978a6e3920afebd16b01caf 15081580 x11 optional xlib6g-static_3.3.4-1_i386.deb
 c33aac2f24647ffc063852e18392f146 101628 mail extra xmh_3.3.4-1_i386.deb
 d02e0e35bc9e2dec6f781c2d393891bc 493996 x11 optional xnest_3.3.4-1_i386.deb
 1d96306a7f7e9496245b200c3fd8b3ee 128992 x11 optional xproxy_3.3.4-1_i386.deb
 c073f99366844e601300d9bdb76ea44f 1078214 x11 optional xprt_3.3.4-1_i386.deb
 708bf6c6f99c962bacca69e643d3a94d 419824 x11 optional xserver-common_3.3.4-1_i386.deb
 80c5cce1a91b56f6ec8e2a5e130fefbd 903124 x11 optional xserver-3dlabs_3.3.4-1_i386.deb
 1edc4c9609570c376ee011caf6478931 721062 x11 optional xserver-8514_3.3.4-1_i386.deb
 9059a9979b35372725a29aae327fbdee 795264 x11 optional xserver-agx_3.3.4-1_i386.deb
 106978b6c22318d7ee4777757020cc18 828140 x11 optional xserver-fbdev_3.3.4-1_i386.deb
 be014e5b103c81617de97a53cca3235d 891760 x11 optional xserver-i128_3.3.4-1_i386.deb
 9fdecce4e6257140786a5f2f749b3151 782858 x11 optional xserver-mach32_3.3.4-1_i386.deb
 aadccec193cb1e5774bd10b064da7580 829098 x11 optional xserver-mach64_3.3.4-1_i386.deb
 f82f9bcb77df7cb7c4389573713ce81a 724346 x11 optional xserver-mach8_3.3.4-1_i386.deb
 e54f019b212567f11f61a0bbbfafbcdc 778506 x11 optional xserver-mono_3.3.4-1_i386.deb
 fd173e0eaed8d7c3cd200d8dc1676cb5 804288 x11 optional xserver-p9000_3.3.4-1_i386.deb
 3f523948f5a5e0e3f9a47ff1150bbdc3 990640 x11 optional xserver-s3_3.3.4-1_i386.deb
 8943f57267adc4360eca68e99161cc9d 889732 x11 optional xserver-s3v_3.3.4-1_i386.deb
 60edc1b2b585a87437a60a29dc427073 1285576 x11 optional xserver-svga_3.3.4-1_i386.deb
 9fdfcf55ea93dfeab78e89174534fdbb 788250 x11 optional xserver-vga16_3.3.4-1_i386.deb
 d727728c528821b15a05671a4c6654df 737522 x11 optional xserver-w32_3.3.4-1_i386.deb
 ee79f87f7542199645f10e33751cada4 83160 x11 optional xsm_3.3.4-1_i386.deb
 754fd8f3260b4167a5bffa4ea67da955 303754 x11 optional xterm_3.3.4-1_i386.deb
 591ed46288ff65bdebbb481200d766bd 1063056 x11 optional xvfb_3.3.4-1_i386.deb
 49de4909d9e81b23c14e841a24c3b1c3 39938 oldlibs extra xbase_3.3.4-1_all.deb
 53a0bf3cd61470a0de76eb9b9b0d0302 264740 x11 standard xfree86-common_3.3.4-1_all.deb
 6dd773eab3d1db3066927f97dd57d274 773382 oldlibs optional xlib6_3.3.4-1_i386.deb
 e73f71f4351c20715963e77cf6a97082 1289410 oldlibs optional xlib6-altdev_3.3.4-1_i386.deb
 0da6bc77e5c0b54c328fd8cee48e3a39 13636594 oldlibs optional xlib6-static_3.3.4-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBN8X+yaiRn0nSNFD5AQHDsQP/QrJi2sk0MD3OHVhtFJUz0YTUeuudt/WC
5OtXdY3LUPZIAK1X37Gezz36I+gS9ucwS6lD5f3SJ2RM8iOtKT15v5MzaM82kRfz
huWa6wZm83HQ+Xw1YlacMIvIkuLoImWOnAk7A+z2p0tmQyKGvnm4bzXu4ZL2Frly
x0ifW39fzts=
=7kF9
-----END PGP SIGNATURE-----



Message sent on to Bo Branten <bosse@ing.umu.se>:
Bug#7112. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Branden Robinson <branden@debian.org>:
Bug#7112; Package xterm. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@csh.rit.edu>:
Extra info received and forwarded to list. Copy sent to Branden Robinson <branden@debian.org>. Full text and rfc822 format available.

Message #47 received at 7112@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@csh.rit.edu>
To: 7112@bugs.debian.org
Cc: control@bugs.debian.org
Subject: xterm setuid-ness
Date: Sun, 29 Aug 1999 03:17:53 -0400
reopen 7112 !
thanks

I noticed today that xterm on my system (Version: 3.3.4-1) is setuid
root:

-rwsr-xr-x   1 root     root       182160 Aug 26 19:50 /usr/bin/X11/xterm

From /usr/doc/xterm/README.Debian:

--

Debian README for xterm package

By Branden Robinson

As of version 3.3.4-1, xterm logs to the wtmp and lastlog files.  If you do
not have a utmp group on your system, xterm will be installed setuid root
instead of setgid utmp.  xterm drops its root privileges after it
initializes, so if it is setuid this can result in corrupt wtmp entries.
The best thing to do is make a utmp group in /etc/group, or upgrade to
version 2.0.3.4 or later of the base-passwd package, so that you have a
utmp group.

--

I do have a utmp group on my system, yet xterm is still setuid root.  xterm's
postinst contains the following snippet:

# if utmp group exists, take advantage of it
if members utmp; then
  XTERM_MODE=2755
  XTERM_GROUP=utmp
else
  XTERM_MODE=4755
  XTERM_GROUP=root
fi

I have no 'members' program on my system, nor do I know of one, so apparently
the script is deciding that I have no utmp group.

-- 
 - Matt


Bug reopened, originator set to Matt Zimmerman <mdz@csh.rit.edu>. Request was from Matt Zimmerman <mdz@csh.rit.edu> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Branden Robinson <branden@debian.org>:
Bug#7112; Package xterm. Full text and rfc822 format available.

Acknowledgement sent to Branden Robinson <branden@ecn.purdue.edu>:
Extra info received and forwarded to list. Copy sent to Branden Robinson <branden@debian.org>. Full text and rfc822 format available.

Message #54 received at 7112@bugs.debian.org (full text, mbox):

From: Branden Robinson <branden@ecn.purdue.edu>
To: Matt Zimmerman <mdz@csh.rit.edu>, 7112@bugs.debian.org
Subject: Re: Bug#7112: xterm setuid-ness
Date: Sun, 29 Aug 1999 14:38:36 -0400
[Message part 1 (text/plain, inline)]
On Sun, Aug 29, 1999 at 03:17:53AM -0400, Matt Zimmerman wrote:
> reopen 7112 !
> thanks

Please don't reopen the bug.

> I have no 'members' program on my system, nor do I know of one, so apparently
> the script is deciding that I have no utmp group.

Yes, that was my mistake, and will be fixed in the version I build today.

I went temporarily insane and assumed that a program as fundamental as
"members" was in an Essential package.

I will write an alternative method for grepping the utmp file for folks who
don't have members, and only then fallback to setuid root.

-- 
G. Branden Robinson              |    The greatest productive force is human
Debian GNU/Linux                 |    selfishness.
branden@ecn.purdue.edu           |    -- Robert Heinlein
cartoon.ecn.purdue.edu/~branden/ |
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Branden Robinson <branden@ecn.purdue.edu>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Matt Zimmerman <mdz@csh.rit.edu>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #59 received at 7112-done@bugs.debian.org (full text, mbox):

From: Branden Robinson <branden@ecn.purdue.edu>
To: 7112-done@bugs.debian.org
Subject: this should have been closed weeks ago
Date: Sun, 14 Nov 1999 13:23:31 -0500
[Message part 1 (text/plain, inline)]
This has been fixed for weeks.  People will reopen bugs at the drop of a
hat but they're seldom as quick to close them when they're fixed.  :-P

-- 
G. Branden Robinson              |      What influenced me to atheism was
Debian GNU/Linux                 |      reading the Bible cover to cover.
branden@ecn.purdue.edu           |      Twice.
cartoon.ecn.purdue.edu/~branden/ |      -- J. Michael Straczynski
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 05:13:43 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.