--- rxvt-unicode/doc/rxvt.7.man.in 2006/01/16 15:07:27 1.47 +++ rxvt-unicode/doc/rxvt.7.man.in 2006/01/17 16:22:41 1.49 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "rxvt 7" -.TH rxvt 7 "2006-01-16" "7.0" "RXVT-UNICODE" +.TH rxvt 7 "2006-01-17" "7.1" "RXVT-UNICODE" .SH "NAME" RXVT REFERENCE \- FAQ, command sequences and other background information .SH "SYNOPSIS" @@ -334,22 +334,20 @@ encodings built-in that increase download times and are rarely used). .IP "I need to make it setuid/setgid to support utmp/ptys on my \s-1OS\s0, is this safe?" 4 .IX Item "I need to make it setuid/setgid to support utmp/ptys on my OS, is this safe?" -Likely not. While I honestly try to make it secure, and am probably not -bad at it, I think it is simply unreasonable to expect all of freetype -+ fontconfig + xft + xlib + perl + ... + rxvt-unicode itself to all be -secure. Also, rxvt-unicode disables some options when it detects that it -runs setuid or setgid, which is not nice. Besides, with the embedded perl -interpreter the possibility for security problems easily multiplies. -.Sp -Elevated privileges are only required for utmp and pty operations on some -systems (for example, GNU/Linux doesn't need any extra privileges for -ptys, but some need it for utmp support). It is planned to mvoe this into -a forked handler process, but this is not yet done. -.Sp -So, while setuid/setgid operation is supported and not a problem on your -typical single-user-no-other-logins unix desktop, always remember that -its an awful lot of code, most of which isn't checked for security issues -regularly. +It should be, starting with release 7.1. You are encouraged to properly +install urxvt with privileges necessary for your \s-1OS\s0 now. +.Sp +When rxvt-unicode detects that it runs setuid or setgid, it will fork +into a helper process for privileged operations (pty handling on some +systems, utmp/wtmp/lastlog handling on others) and drop privileges +immediately. This is much safer than most other terminals that keep +privileges while running (but is more relevant to urxvt, as it contains +things as perl interpreters, which might be \*(L"helpful\*(R" to attackers). +.Sp +This forking is done as the very first within \fImain()\fR, which is very early +and reduces possible bugs to initialisation code run before \fImain()\fR, or +things like the dynamic loader of your system, which should result in very +little risk. .IP "When I log-in to another system it tells me about missing terminfo data?" 4 .IX Item "When I log-in to another system it tells me about missing terminfo data?" The terminal description used by rxvt-unicode is not as widely available @@ -1060,8 +1058,8 @@ .IX Header "DESCRIPTION" The rest of this document describes various technical aspects of \&\fBrxvt-unicode\fR. First the description of supported command sequences, -followed by menu and pixmap support and last by a description of all -features selectable at \f(CW\*(C`configure\*(C'\fR time. +followed by pixmap support and last by a description of all features +selectable at \f(CW\*(C`configure\*(C'\fR time. .SH "Definitions" .IX Header "Definitions" .ie n .IP "\fB\fB""c""\fB\fR" 4 @@ -2129,10 +2127,6 @@ Add support for a very unobtrusive, plain-looking scrollbar that is the favourite of the rxvt-unicode author, having used it for many years. -.IP "\-\-enable\-half\-shadow (default: off)" 4 -.IX Item "--enable-half-shadow (default: off)" -Make shadows on the scrollbar only half the normal width & height. -only applicable to rxvt scrollbars. .IP "\-\-enable\-ttygid (default: off)" 4 .IX Item "--enable-ttygid (default: off)" Change tty device setting to group \*(L"tty\*(R" \- only use this if