| … | |
… | |
| 128 | When using the rxvtc client, the version displayed is that of the |
128 | When using the rxvtc client, the version displayed is that of the |
| 129 | daemon. |
129 | daemon. |
| 130 | |
130 | |
| 131 | I am using Debian GNU/Linux and have a problem... |
131 | I am using Debian GNU/Linux and have a problem... |
| 132 | The Debian GNU/Linux package of rxvt-unicode in sarge contains large |
132 | The Debian GNU/Linux package of rxvt-unicode in sarge contains large |
| 133 | patches that considerably change the behaviour of rxvt-unicode. |
133 | patches that considerably change the behaviour of rxvt-unicode (but |
| 134 | Before reporting a bug to the original rxvt-unicode author please |
134 | unfortunately this notice has been removed). Before reporting a bug |
| 135 | download and install the genuine version |
135 | to the original rxvt-unicode author please download and install the |
| 136 | (<http://software.schmorp.de#rxvt-unicode>) and try to reproduce the |
136 | genuine version (<http://software.schmorp.de#rxvt-unicode>) and try |
| 137 | problem. If you cannot, chances are that the problems are specific |
137 | to reproduce the problem. If you cannot, chances are that the |
| 138 | to Debian GNU/Linux, in which case it should be reported via the |
138 | problems are specific to Debian GNU/Linux, in which case it should |
| 139 | Debian Bug Tracking System (use "reportbug" to report the bug). |
139 | be reported via the Debian Bug Tracking System (use "reportbug" to |
|
|
140 | report the bug). |
| 140 | |
141 | |
| 141 | For other problems that also affect the Debian package, you can and |
142 | For other problems that also affect the Debian package, you can and |
| 142 | probably should use the Debian BTS, too, because, after all, it's |
143 | probably should use the Debian BTS, too, because, after all, it's |
| 143 | also a bug in the Debian version and it serves as a reminder for |
144 | also a bug in the Debian version and it serves as a reminder for |
| 144 | other users that might encounter the same issue. |
145 | other users that might encounter the same issue. |
| … | |
… | |
| 165 | of encodings built-in that increase download times and are rarely |
166 | of encodings built-in that increase download times and are rarely |
| 166 | used). |
167 | used). |
| 167 | |
168 | |
| 168 | I need to make it setuid/setgid to support utmp/ptys on my OS, is this |
169 | I need to make it setuid/setgid to support utmp/ptys on my OS, is this |
| 169 | safe? |
170 | safe? |
| 170 | Likely not. While I honestly try to make it secure, and am probably |
171 | It should be, starting with release 7.1. You are encouraged to |
| 171 | not bad at it, I think it is simply unreasonable to expect all of |
172 | properly install urxvt with privileges necessary for your OS now. |
| 172 | freetype + fontconfig + xft + xlib + perl + ... + rxvt-unicode |
173 | |
| 173 | itself to all be secure. Also, rxvt-unicode disables some options |
|
|
| 174 | when it detects that it runs setuid or setgid, which is not nice. |
174 | When rxvt-unicode detects that it runs setuid or setgid, it will |
| 175 | Besides, with the embedded perl interpreter the possibility for |
175 | fork into a helper process for privileged operations (pty handling |
| 176 | security problems easily multiplies. |
176 | on some systems, utmp/wtmp/lastlog handling on others) and drop |
|
|
177 | privileges immediately. This is much safer than most other terminals |
|
|
178 | that keep privileges while running (but is more relevant to urxvt, |
|
|
179 | as it contains things as perl interpreters, which might be "helpful" |
|
|
180 | to attackers). |
| 177 | |
181 | |
| 178 | Elevated privileges are only required for utmp and pty operations on |
182 | This forking is done as the very first within main(), which is very |
| 179 | some systems (for example, GNU/Linux doesn't need any extra |
183 | early and reduces possible bugs to initialisation code run before |
| 180 | privileges for ptys, but some need it for utmp support). It is |
184 | main(), or things like the dynamic loader of your system, which |
| 181 | planned to mvoe this into a forked handler process, but this is not |
185 | should result in very little risk. |
| 182 | yet done. |
|
|
| 183 | |
|
|
| 184 | So, while setuid/setgid operation is supported and not a problem on |
|
|
| 185 | your typical single-user-no-other-logins unix desktop, always |
|
|
| 186 | remember that its an awful lot of code, most of which isn't checked |
|
|
| 187 | for security issues regularly. |
|
|
| 188 | |
186 | |
| 189 | When I log-in to another system it tells me about missing terminfo data? |
187 | When I log-in to another system it tells me about missing terminfo data? |
| 190 | The terminal description used by rxvt-unicode is not as widely |
188 | The terminal description used by rxvt-unicode is not as widely |
| 191 | available as that for xterm, or even rxvt (for which the same |
189 | available as that for xterm, or even rxvt (for which the same |
| 192 | problem often arises). |
190 | problem often arises). |
