Subject: security/6765: /usr/X11R6/bin/dga is setuid-root and need not be
To: None <>
From: None <>
List: netbsd-bugs
Date: 01/07/1999 22:34:03
>Number:         6765
>Category:       security
>Synopsis:       /usr/X11R6/bin/dga is setuid-root and need not be
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Jan  7 19:50:01 1999
>Originator:     Greg A. Woods
Planix, Inc.; Toronto, Ontario; Canada
>Release:        xsrc sup Sun Jul 26 07:48:34 EDT 1998 (and xsrc-current as of today)

System: NetBSD proven 1.3I NetBSD 1.3I (GENERIC) #1: Thu Dec 3 16:23:20 EST 1998 i386


	I'm not even sure it's even necessary to install "dga", but it
	certainly should not be setuid-root, especially with no
	assurance that it's been audited as safe to run setuid.  Users
	who want to test their DGA extensions can run it as root if they
	really want to.

	I note that xsrc-current has already been modified to not
	install setuid on OpenBSD.


	look for setuid programs in X11R6/bin that don't need to be!


	patch xsrc with something like the following:

cvs diff: Diffing xc/programs/xf86dga
Index: xc/programs/xf86dga/Imakefile
RCS file: /cvs/NetBSD/xsrc/xc/programs/xf86dga/Imakefile,v
retrieving revision
diff -u -r1.1.1.1 xc/programs/xf86dga/Imakefile
--- xc/programs/xf86dga/Imakefile	1998/03/14 19:22:13
+++ xc/programs/xf86dga/Imakefile	1999/01/08 03:21:18
@@ -8,7 +8,7 @@
Index: xc/programs/xf86dga/dga.c
RCS file: /cvs/NetBSD/xsrc/xc/programs/xf86dga/dga.c,v
retrieving revision
diff -u -r1.1.1.1 xc/programs/xf86dga/dga.c
--- xc/programs/xf86dga/dga.c	1998/03/14 19:22:13
+++ xc/programs/xf86dga/dga.c	1999/01/08 03:16:29
@@ -53,7 +53,7 @@
     XSetWindowAttributes xswa;
     if (geteuid()) {
-	fprintf(stderr, "Must be suid root\n");
+	fprintf(stderr, "Must be run as root\n");