… | |
… | |
194 | C<--enable-everything> (less useful, it will be very big due to a lot of |
194 | C<--enable-everything> (less useful, it will be very big due to a lot of |
195 | encodings built-in that increase download times and are rarely used). |
195 | encodings built-in that increase download times and are rarely used). |
196 | |
196 | |
197 | =item I need to make it setuid/setgid to support utmp/ptys on my OS, is this safe? |
197 | =item I need to make it setuid/setgid to support utmp/ptys on my OS, is this safe? |
198 | |
198 | |
199 | Likely not. While I honestly try to make it secure, and am probably not |
199 | It should be, starting with release 7.1. You are encouraged to properly |
200 | bad at it, I think it is simply unreasonable to expect all of freetype |
200 | install urxvt with privileges necessary for your OS now. |
201 | + fontconfig + xft + xlib + perl + ... + rxvt-unicode itself to all be |
|
|
202 | secure. Also, rxvt-unicode disables some options when it detects that it |
|
|
203 | runs setuid or setgid, which is not nice. Besides, with the embedded perl |
|
|
204 | interpreter the possibility for security problems easily multiplies. |
|
|
205 | |
201 | |
206 | Elevated privileges are only required for utmp and pty operations on some |
202 | When rxvt-unicode detects that it runs setuid or setgid, it will fork |
207 | systems (for example, GNU/Linux doesn't need any extra privileges for |
203 | into a helper process for privileged operations (pty handling on some |
208 | ptys, but some need it for utmp support). It is planned to mvoe this into |
204 | systems, utmp/wtmp/lastlog handling on others) and drop privileges |
209 | a forked handler process, but this is not yet done. |
205 | immediately. This is much safer than most other terminals that keep |
|
|
206 | privileges while running (but is more relevant to urxvt, as it contains |
|
|
207 | things as perl interpreters, which might be "helpful" to attackers). |
210 | |
208 | |
211 | So, while setuid/setgid operation is supported and not a problem on your |
209 | This forking is done as the very first within main(), which is very early |
212 | typical single-user-no-other-logins unix desktop, always remember that |
210 | and reduces possible bugs to initialisation code run before main(), or |
213 | its an awful lot of code, most of which isn't checked for security issues |
211 | things like the dynamic loader of your system, which should result in very |
214 | regularly. |
212 | little risk. |
215 | |
213 | |
216 | =item When I log-in to another system it tells me about missing terminfo data? |
214 | =item When I log-in to another system it tells me about missing terminfo data? |
217 | |
215 | |
218 | The terminal description used by rxvt-unicode is not as widely available |
216 | The terminal description used by rxvt-unicode is not as widely available |
219 | as that for xterm, or even rxvt (for which the same problem often arises). |
217 | as that for xterm, or even rxvt (for which the same problem often arises). |