… | |
… | |
154 | C<--enable-everything> (less useful, it will be very big due to a lot of |
154 | C<--enable-everything> (less useful, it will be very big due to a lot of |
155 | encodings built-in that increase download times and are rarely used). |
155 | encodings built-in that increase download times and are rarely used). |
156 | |
156 | |
157 | =item I need to make it setuid/setgid to support utmp/ptys on my OS, is this safe? |
157 | =item I need to make it setuid/setgid to support utmp/ptys on my OS, is this safe? |
158 | |
158 | |
159 | Likely not. While I honestly try to make it secure, and am probably |
159 | Likely not. While I honestly try to make it secure, and am probably not |
160 | not bad at it, I think it is simply unreasonable to expect all of |
160 | bad at it, I think it is simply unreasonable to expect all of freetype |
161 | freetype + fontconfig + xft + xlib + ... + rxvt-unicode itself to all be |
161 | + fontconfig + xft + xlib + perl + ... + rxvt-unicode itself to all be |
162 | secure. Also, rxvt-unicode disables some options when it detects that it |
162 | secure. Also, rxvt-unicode disables some options when it detects that it |
163 | runs setuid or setgid, which is not nice. |
163 | runs setuid or setgid, which is not nice. Besides, with the embedded perl |
|
|
164 | interpreter the possibility for security problems easily multiplies. |
164 | |
165 | |
165 | Elevated privileges are only required for utmp and pty operations on some |
166 | Elevated privileges are only required for utmp and pty operations on some |
166 | systems (for example, GNU/Linux doesn't need any extra privileges for |
167 | systems (for example, GNU/Linux doesn't need any extra privileges for |
167 | ptys, but some need it for utmp support). If rxvt-unicode doesn't support |
168 | ptys, but some need it for utmp support). It is planned to mvoe this into |
168 | the library/setuid helper that your OS needs I'll be happy to assist you |
169 | a forked handler process, but this is not yet done. |
169 | in implementing support for it. |
|
|
170 | |
170 | |
171 | So, while setuid/setgid operation is supported and not a problem on your |
171 | So, while setuid/setgid operation is supported and not a problem on your |
172 | typical single-user-no-other-logins unix desktop, always remember that |
172 | typical single-user-no-other-logins unix desktop, always remember that |
173 | its an awful lot of code, most of which isn't checked for security issues |
173 | its an awful lot of code, most of which isn't checked for security issues |
174 | regularly. |
174 | regularly. |