| … | |
… | |
| 288 | one with \f(CW\*(C`\-\-disable\-everything\*(C'\fR (very useful) and a maximal one with |
288 | one with \f(CW\*(C`\-\-disable\-everything\*(C'\fR (very useful) and a maximal one with |
| 289 | \&\f(CW\*(C`\-\-enable\-everything\*(C'\fR (less useful, it will be very big due to a lot of |
289 | \&\f(CW\*(C`\-\-enable\-everything\*(C'\fR (less useful, it will be very big due to a lot of |
| 290 | encodings built-in that increase download times and are rarely used). |
290 | encodings built-in that increase download times and are rarely used). |
| 291 | .IP "I need to make it setuid/setgid to support utmp/ptys on my \s-1OS\s0, is this safe?" 4 |
291 | .IP "I need to make it setuid/setgid to support utmp/ptys on my \s-1OS\s0, is this safe?" 4 |
| 292 | .IX Item "I need to make it setuid/setgid to support utmp/ptys on my OS, is this safe?" |
292 | .IX Item "I need to make it setuid/setgid to support utmp/ptys on my OS, is this safe?" |
| 293 | Likely not. While I honestly try to make it secure, and am probably |
293 | Likely not. While I honestly try to make it secure, and am probably not |
| 294 | not bad at it, I think it is simply unreasonable to expect all of |
294 | bad at it, I think it is simply unreasonable to expect all of freetype |
| 295 | freetype + fontconfig + xft + xlib + ... + rxvt-unicode itself to all be |
295 | + fontconfig + xft + xlib + perl + ... + rxvt-unicode itself to all be |
| 296 | secure. Also, rxvt-unicode disables some options when it detects that it |
296 | secure. Also, rxvt-unicode disables some options when it detects that it |
| 297 | runs setuid or setgid, which is not nice. |
297 | runs setuid or setgid, which is not nice. Besides, with the embedded perl |
|
|
298 | interpreter the possibility for security problems easily multiplies. |
| 298 | .Sp |
299 | .Sp |
| 299 | Elevated privileges are only required for utmp and pty operations on some |
300 | Elevated privileges are only required for utmp and pty operations on some |
| 300 | systems (for example, GNU/Linux doesn't need any extra privileges for |
301 | systems (for example, GNU/Linux doesn't need any extra privileges for |
| 301 | ptys, but some need it for utmp support). If rxvt-unicode doesn't support |
302 | ptys, but some need it for utmp support). It is planned to mvoe this into |
| 302 | the library/setuid helper that your \s-1OS\s0 needs I'll be happy to assist you |
303 | a forked handler process, but this is not yet done. |
| 303 | in implementing support for it. |
|
|
| 304 | .Sp |
304 | .Sp |
| 305 | So, while setuid/setgid operation is supported and not a problem on your |
305 | So, while setuid/setgid operation is supported and not a problem on your |
| 306 | typical single-user-no-other-logins unix desktop, always remember that |
306 | typical single-user-no-other-logins unix desktop, always remember that |
| 307 | its an awful lot of code, most of which isn't checked for security issues |
307 | its an awful lot of code, most of which isn't checked for security issues |
| 308 | regularly. |
308 | regularly. |
