| … | |
… | |
| 154 | C<--enable-everything> (less useful, it will be very big due to a lot of |
154 | C<--enable-everything> (less useful, it will be very big due to a lot of |
| 155 | encodings built-in that increase download times and are rarely used). |
155 | encodings built-in that increase download times and are rarely used). |
| 156 | |
156 | |
| 157 | =item I need to make it setuid/setgid to support utmp/ptys on my OS, is this safe? |
157 | =item I need to make it setuid/setgid to support utmp/ptys on my OS, is this safe? |
| 158 | |
158 | |
| 159 | Likely not. While I honestly try to make it secure, and am probably |
159 | Likely not. While I honestly try to make it secure, and am probably not |
| 160 | not bad at it, I think it is simply unreasonable to expect all of |
160 | bad at it, I think it is simply unreasonable to expect all of freetype |
| 161 | freetype + fontconfig + xft + xlib + ... + rxvt-unicode itself to all be |
161 | + fontconfig + xft + xlib + perl + ... + rxvt-unicode itself to all be |
| 162 | secure. Also, rxvt-unicode disables some options when it detects that it |
162 | secure. Also, rxvt-unicode disables some options when it detects that it |
| 163 | runs setuid or setgid, which is not nice. |
163 | runs setuid or setgid, which is not nice. Besides, with the embedded perl |
|
|
164 | interpreter the possibility for security problems easily multiplies. |
| 164 | |
165 | |
| 165 | Elevated privileges are only required for utmp and pty operations on some |
166 | Elevated privileges are only required for utmp and pty operations on some |
| 166 | systems (for example, GNU/Linux doesn't need any extra privileges for |
167 | systems (for example, GNU/Linux doesn't need any extra privileges for |
| 167 | ptys, but some need it for utmp support). If rxvt-unicode doesn't support |
168 | ptys, but some need it for utmp support). It is planned to mvoe this into |
| 168 | the library/setuid helper that your OS needs I'll be happy to assist you |
169 | a forked handler process, but this is not yet done. |
| 169 | in implementing support for it. |
|
|
| 170 | |
170 | |
| 171 | So, while setuid/setgid operation is supported and not a problem on your |
171 | So, while setuid/setgid operation is supported and not a problem on your |
| 172 | typical single-user-no-other-logins unix desktop, always remember that |
172 | typical single-user-no-other-logins unix desktop, always remember that |
| 173 | its an awful lot of code, most of which isn't checked for security issues |
173 | its an awful lot of code, most of which isn't checked for security issues |
| 174 | regularly. |
174 | regularly. |
