On Wed, Apr 12, 2006 at 01:33:57AM +0200, Yann Dirson wrote: > On Wed, Apr 12, 2006 at 01:23:53AM +0300, Daniel Stone wrote: > > > Anyway... although -xf86config is not documented any more in Xorg.1, > > > the flag is still accepted, and then as expected I can get my > > > server... > > > > -xf86config, -xorgconfig, -modulepath, and -logpath all need to be > > added. (cf. Xorg #6213.) > > Hm. #6213 is about a recent issue, which surely has nothing to do > with the issue that existed in 1997, right ? And if I understand > well, there are available fixes for Xorg itself, so I do not see a > need to hack the wrapper for this. What do I miss ? What is the link > between that old issue and the new one ?
The link is that #6213 was a fix for the fact that unprivileged users could use the -modulepath option, which allows you to say X -modulepath ~/foo, where ~/foo contains a bunch of modules with code you wrote. The X server runs as root. The -modulepath option didn't exist in 1997. > The behaviour described for -*config is to allow non-root users to use > root-defined configs. If there is a real security problem with that, > it would be good practice to describe the issue in the Xorg manpage, > and try to work out an alternative it a full solution cannot be found. -*config, -modulepath and -logpath are all documented as only being available to root. -*config and -modulepath because you can execute arbitrary code of your choice as root; -logpath because running Xorg -logpath /lib/ld-linux.so.1, is a good way to kill a system. > The problem I see with that 1997 issue, is that it does not point to a > CVE or any other security-related issue. Not even to a BTS entry. Well, CVE didn't exist in 1997, so that would be kind of difficult. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
