/usr/bin/under
James Helman
jim at baroque.Stanford.EDU
Sun Mar 3 06:47:03 AEST 1991
You lose the ability to log the user session in /etc/utmp and
/etc/wtmp, and thus lose the ability to "see" the user with "w" and
"who". Depending on your taste, this may or may not be a worse
security problem than having "xterm" be setuid root.
The security loss from this is minimal as a user can inhibit utmp
logging by invoking xterm with the '-ut' switch. As far as I know,
xterm does not log to wtmp at all.
Another problem (which also occurs under SunOS) is that if xterm is
not setuid root, the root ownership and 666 mode of the pty are not
changed. This breaks mesg(1) and biff(1) and allows any user to read
or write to your pty. This does does have some security ramifications.
On the other hand, I don't know of any security holes in xterm related
to it being setuid root.
-jim
Jim Helman
Department of Applied Physics Durand 012
Stanford University FAX: (415) 725-3377
(jim at KAOS.stanford.edu) Work: (415) 723-9127
More information about the Comp.sys.sgi
mailing list