netbsd-bugs: security/6765: /usr/X11R6/bin/dga is setuid-root and need not be

Subject: security/6765: /usr/X11R6/bin/dga is setuid-root and need not be
To: None <gnats-bugs@gnats.netbsd.org>
From: None <woods@proven.weird.com>
List: netbsd-bugs
Date: 01/07/1999 22:34:03

>Number:         6765
>Category:       security
>Synopsis:       /usr/X11R6/bin/dga is setuid-root and need not be
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Jan  7 19:50:01 1999
>Last-Modified:
>Originator:     Greg A. Woods
>Organization:
Planix, Inc.; Toronto, Ontario; Canada
>Release:        xsrc sup Sun Jul 26 07:48:34 EDT 1998 (and xsrc-current as of today)
>Environment:

System: NetBSD proven 1.3I NetBSD 1.3I (GENERIC) #1: Thu Dec 3 16:23:20 EST 1998 root@woffi.planix.com:/local1/netbsd/netbsd-current/src/sys/arch/i386/compile/GENERIC i386

>Description:

	I'm not even sure it's even necessary to install "dga", but it
	certainly should not be setuid-root, especially with no
	assurance that it's been audited as safe to run setuid.  Users
	who want to test their DGA extensions can run it as root if they
	really want to.

	I note that xsrc-current has already been modified to not
	install setuid on OpenBSD.

>How-To-Repeat:

	look for setuid programs in X11R6/bin that don't need to be!

>Fix:

	patch xsrc with something like the following:

cvs diff: Diffing xc/programs/xf86dga
Index: xc/programs/xf86dga/Imakefile
===================================================================
RCS file: /cvs/NetBSD/xsrc/xc/programs/xf86dga/Imakefile,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 xc/programs/xf86dga/Imakefile
--- xc/programs/xf86dga/Imakefile	1998/03/14 19:22:13	1.1.1.1
+++ xc/programs/xf86dga/Imakefile	1999/01/08 03:21:18
@@ -8,7 +8,7 @@
 AllTarget(ProgramTargetName(dga))
 
 NormalProgramTarget(dga,$(OBJS),$(DEPLIBS),$(LOCAL_LIBRARIES),NullParameter)
-InstallProgramWithFlags(dga,$(BINDIR),$(INSTUIDFLAGS))
+InstallProgram(dga,$(BINDIR))
 DependTarget()
 
 InstallManPage(dga,$(MANDIR))
Index: xc/programs/xf86dga/dga.c
===================================================================
RCS file: /cvs/NetBSD/xsrc/xc/programs/xf86dga/dga.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 xc/programs/xf86dga/dga.c
--- xc/programs/xf86dga/dga.c	1998/03/14 19:22:13	1.1.1.1
+++ xc/programs/xf86dga/dga.c	1999/01/08 03:16:29
@@ -53,7 +53,7 @@
     XSetWindowAttributes xswa;
 
     if (geteuid()) {
-	fprintf(stderr, "Must be suid root\n");
+	fprintf(stderr, "Must be run as root\n");
 	exit(1);
     }
 
>Audit-Trail:
>Unformatted: