… | |
… | |
235 | </dd> |
235 | </dd> |
236 | <p></p> |
236 | <p></p> |
237 | <dt><strong><a name="item_i_need_to_make_it_setuid_2fsetgid_to_support_utmp_">I need to make it setuid/setgid to support utmp/ptys on my OS, is this safe?</a></strong><br /> |
237 | <dt><strong><a name="item_i_need_to_make_it_setuid_2fsetgid_to_support_utmp_">I need to make it setuid/setgid to support utmp/ptys on my OS, is this safe?</a></strong><br /> |
238 | </dt> |
238 | </dt> |
239 | <dd> |
239 | <dd> |
240 | Likely not. While I honestly try to make it secure, and am probably |
240 | Likely not. While I honestly try to make it secure, and am probably not |
241 | not bad at it, I think it is simply unreasonable to expect all of |
241 | bad at it, I think it is simply unreasonable to expect all of freetype |
242 | freetype + fontconfig + xft + xlib + ... + rxvt-unicode itself to all be |
242 | + fontconfig + xft + xlib + perl + ... + rxvt-unicode itself to all be |
243 | secure. Also, rxvt-unicode disables some options when it detects that it |
243 | secure. Also, rxvt-unicode disables some options when it detects that it |
244 | runs setuid or setgid, which is not nice. |
244 | runs setuid or setgid, which is not nice. Besides, with the embedded perl |
|
|
245 | interpreter the possibility for security problems easily multiplies. |
245 | </dd> |
246 | </dd> |
246 | <dd> |
247 | <dd> |
247 | <p>Elevated privileges are only required for utmp and pty operations on some |
248 | <p>Elevated privileges are only required for utmp and pty operations on some |
248 | systems (for example, GNU/Linux doesn't need any extra privileges for |
249 | systems (for example, GNU/Linux doesn't need any extra privileges for |
249 | ptys, but some need it for utmp support). If rxvt-unicode doesn't support |
250 | ptys, but some need it for utmp support). It is planned to mvoe this into |
250 | the library/setuid helper that your OS needs I'll be happy to assist you |
251 | a forked handler process, but this is not yet done.</p> |
251 | in implementing support for it.</p> |
|
|
252 | </dd> |
252 | </dd> |
253 | <dd> |
253 | <dd> |
254 | <p>So, while setuid/setgid operation is supported and not a problem on your |
254 | <p>So, while setuid/setgid operation is supported and not a problem on your |
255 | typical single-user-no-other-logins unix desktop, always remember that |
255 | typical single-user-no-other-logins unix desktop, always remember that |
256 | its an awful lot of code, most of which isn't checked for security issues |
256 | its an awful lot of code, most of which isn't checked for security issues |