| 1 |
On 11/04/18 10:33, tuxic@××××××.de wrote: |
| 2 |
> |
| 3 |
> |
| 4 |
> |
| 5 |
> |
| 6 |
> On 11/03 11:20, Daniel Frey wrote: |
| 7 |
>> On 11/03/18 07:01, Alan Mackenzie wrote: |
| 8 |
>>> Hello, Gentoo. |
| 9 |
>>> |
| 10 |
>>> HEADS UP!!! |
| 11 |
>>> |
| 12 |
>>> If you start your X server from the command line with, e.g. startx, you |
| 13 |
>>> now need to set the new(?) suid USE flag for the xorg-server package. |
| 14 |
>>> |
| 15 |
>>> This flag causes the binary to be installed with the setuid file flag, |
| 16 |
>>> which causes it to run as root. |
| 17 |
>>> |
| 18 |
>>> The developers, in this instance, failed to raise the ebuild's version |
| 19 |
>>> number from 1.20.3 when making this change, and also didn't notify users |
| 20 |
>>> by a NEWS item, that I can see. |
| 21 |
>>> |
| 22 |
>>> The matter was fairly intensively discussed in bug #669648 in Gentoo's |
| 23 |
>>> bugzilla. |
| 24 |
>>> |
| 25 |
>>> So - if you get a permissions error whilst trying to start X, setting |
| 26 |
>>> the suid USE flag may well be the solution. |
| 27 |
>>> |
| 28 |
>> |
| 29 |
>> I just got hit by this on my mythtv backend, which I only start X to |
| 30 |
>> configure the mythtv backend. |
| 31 |
>> |
| 32 |
>> Yes, enabling the suid USE-flag fixed it (or restored original behaviour?) |
| 33 |
>> |
| 34 |
>> Dan |
| 35 |
>> |
| 36 |
> |
| 37 |
> Hi, |
| 38 |
> |
| 39 |
> is this already known? |
| 40 |
> https://twitter.com/hackerfantastic/status/1055517801224396800 |
| 41 |
> |
| 42 |
> Is it safe to run X.org suid set? |
| 43 |
> |
| 44 |
> Cheers |
| 45 |
> Meino |
| 46 |
> |
| 47 |
> |
| 48 |
> |
| 49 |
> |
| 50 |
|
| 51 |
Even if you run X as a non-root user it's possible to snoop on the |
| 52 |
keyboard/mouse input of a different user. So... pick your vulnerability. |
| 53 |
|
| 54 |
I stuck with the way it's been working for years and years. However, |
| 55 |
these systems do not have web access or anything like that, they're |
| 56 |
mythtv appliances. |
| 57 |
|
| 58 |
Dan |
Archives