--- cvsroot/rxvt-unicode/README.FAQ 2006/01/16 14:48:39 1.29 +++ cvsroot/rxvt-unicode/README.FAQ 2006/01/19 19:26:30 1.32 @@ -130,13 +130,14 @@ I am using Debian GNU/Linux and have a problem... The Debian GNU/Linux package of rxvt-unicode in sarge contains large - patches that considerably change the behaviour of rxvt-unicode. - Before reporting a bug to the original rxvt-unicode author please - download and install the genuine version - () and try to reproduce the - problem. If you cannot, chances are that the problems are specific - to Debian GNU/Linux, in which case it should be reported via the - Debian Bug Tracking System (use "reportbug" to report the bug). + patches that considerably change the behaviour of rxvt-unicode (but + unfortunately this notice has been removed). Before reporting a bug + to the original rxvt-unicode author please download and install the + genuine version () and try + to reproduce the problem. If you cannot, chances are that the + problems are specific to Debian GNU/Linux, in which case it should + be reported via the Debian Bug Tracking System (use "reportbug" to + report the bug). For other problems that also affect the Debian package, you can and probably should use the Debian BTS, too, because, after all, it's @@ -167,24 +168,21 @@ I need to make it setuid/setgid to support utmp/ptys on my OS, is this safe? - Likely not. While I honestly try to make it secure, and am probably - not bad at it, I think it is simply unreasonable to expect all of - freetype + fontconfig + xft + xlib + perl + ... + rxvt-unicode - itself to all be secure. Also, rxvt-unicode disables some options - when it detects that it runs setuid or setgid, which is not nice. - Besides, with the embedded perl interpreter the possibility for - security problems easily multiplies. - - Elevated privileges are only required for utmp and pty operations on - some systems (for example, GNU/Linux doesn't need any extra - privileges for ptys, but some need it for utmp support). It is - planned to mvoe this into a forked handler process, but this is not - yet done. - - So, while setuid/setgid operation is supported and not a problem on - your typical single-user-no-other-logins unix desktop, always - remember that its an awful lot of code, most of which isn't checked - for security issues regularly. + It should be, starting with release 7.1. You are encouraged to + properly install urxvt with privileges necessary for your OS now. + + When rxvt-unicode detects that it runs setuid or setgid, it will + fork into a helper process for privileged operations (pty handling + on some systems, utmp/wtmp/lastlog handling on others) and drop + privileges immediately. This is much safer than most other terminals + that keep privileges while running (but is more relevant to urxvt, + as it contains things as perl interpreters, which might be "helpful" + to attackers). + + This forking is done as the very first within main(), which is very + early and reduces possible bugs to initialisation code run before + main(), or things like the dynamic loader of your system, which + should result in very little risk. When I log-in to another system it tells me about missing terminfo data? The terminal description used by rxvt-unicode is not as widely @@ -582,7 +580,7 @@ You can specify separate locales for the input method and the rest of the terminal, using the resource "imlocale": - URxvt*imlocale: ja_JP.EUC-JP + URxvt.imlocale: ja_JP.EUC-JP Now you can start your terminal with "LC_CTYPE=ja_JP.UTF-8" and still use your input method. Please note, however, that you will not