| … | |
… | |
| 165 | of encodings built-in that increase download times and are rarely |
165 | of encodings built-in that increase download times and are rarely |
| 166 | used). |
166 | used). |
| 167 | |
167 | |
| 168 | I need to make it setuid/setgid to support utmp/ptys on my OS, is this |
168 | I need to make it setuid/setgid to support utmp/ptys on my OS, is this |
| 169 | safe? |
169 | safe? |
| 170 | Likely not. While I honestly try to make it secure, and am probably |
170 | It should be, starting with release 7.1. You are encouraged to |
| 171 | not bad at it, I think it is simply unreasonable to expect all of |
171 | properly install urxvt with privileges necessary for your OS now. |
| 172 | freetype + fontconfig + xft + xlib + perl + ... + rxvt-unicode |
172 | |
| 173 | itself to all be secure. Also, rxvt-unicode disables some options |
|
|
| 174 | when it detects that it runs setuid or setgid, which is not nice. |
173 | When rxvt-unicode detects that it runs setuid or setgid, it will |
| 175 | Besides, with the embedded perl interpreter the possibility for |
174 | fork into a helper process for privileged operations (pty handling |
| 176 | security problems easily multiplies. |
175 | on some systems, utmp/wtmp/lastlog handling on others) and drop |
|
|
176 | privileges immediately. This is much safer than most other terminals |
|
|
177 | that keep privileges while running (but is more relevant to urxvt, |
|
|
178 | as it contains things as perl interpreters, which might be "helpful" |
|
|
179 | to attackers). |
| 177 | |
180 | |
| 178 | Elevated privileges are only required for utmp and pty operations on |
181 | This forking is done as the very first within main(), which is very |
| 179 | some systems (for example, GNU/Linux doesn't need any extra |
182 | early and reduces possible bugs to initialisation code run before |
| 180 | privileges for ptys, but some need it for utmp support). It is |
183 | main(), or things like the dynamic loader of your system, which |
| 181 | planned to mvoe this into a forked handler process, but this is not |
184 | should result in very little risk. |
| 182 | yet done. |
|
|
| 183 | |
|
|
| 184 | So, while setuid/setgid operation is supported and not a problem on |
|
|
| 185 | your typical single-user-no-other-logins unix desktop, always |
|
|
| 186 | remember that its an awful lot of code, most of which isn't checked |
|
|
| 187 | for security issues regularly. |
|
|
| 188 | |
185 | |
| 189 | When I log-in to another system it tells me about missing terminfo data? |
186 | When I log-in to another system it tells me about missing terminfo data? |
| 190 | The terminal description used by rxvt-unicode is not as widely |
187 | The terminal description used by rxvt-unicode is not as widely |
| 191 | available as that for xterm, or even rxvt (for which the same |
188 | available as that for xterm, or even rxvt (for which the same |
| 192 | problem often arises). |
189 | problem often arises). |
