bin/39611: Xorg installed with setuid improperly

[gcw%primenet.com.au@localhost]

>Number:         39611
>Category:       bin
>Synopsis:       Xorg installed with setuid improperly
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 23 00:55:00 +0000 2008
>Originator:     Geoff C. Wing
>Release:        NetBSD 4.99.72
>Organization:
>Environment:
System: NetBSD g.primenet.com.au 4.99.72 NetBSD 4.99.72 (G) #0: Mon Sep 22 
12:16:10 EST 2008 
gcw%g.primenet.com.au@localhost:/usr/netbsd/src/sys/arch/i386/compile/G i386
Architecture: i386
Machine: i386
>Description:
        The makefile to install the xorg-server (file: Xorg) sets BINMODE
        to install it setuid but doesn't set BINOWN.  This means that Xorg
        may potentially be installed setuid as the wrong user.
        
        Outside the src/x11 hierarchy everything setting BINMODE properly
        sets BINOWN.

        Here are the src/x11 ones (if anyone will be using them in the future):
                x11/Xserver/Xserver/X68k/Makefile
                x11/Xserver/Xserver/XFree86/Makefile
                x11/Xserver/Xserver/XalphaNetBSD/Makefile
                x11/Xserver/Xserver/Xarm32VIDC/Makefile
                x11/Xserver/Xserver/Xdreamcast/Makefile
                x11/Xserver/Xserver/Xews4800mips/Makefile
                x11/Xserver/Xserver/Xhpc/Makefile
                x11/Xserver/Xserver/Xmac68k/Makefile
                x11/Xserver/Xserver/Xmacppc/Makefile
                x11/Xserver/Xserver/Xnewsmips/Makefile
                x11/Xserver/Xserver/Xsun/Makefile
                x11/Xserver/Xserver/Xsun24/Makefile
                x11/Xserver/Xserver/XsunMono/Makefile

>How-To-Repeat:
        Obvious
>Fix:
        
Index: external/mit/xorg/server/xorg-server/hw/xfree86/Makefile
===================================================================
RCS file: 
/cvsroot/src/external/mit/xorg/server/xorg-server/hw/xfree86/Makefile,v
retrieving revision 1.21
diff -u -r1.21 Makefile
--- external/mit/xorg/server/xorg-server/hw/xfree86/Makefile    1 Sep 2008 
10:15:08 -0000       1.21
+++ external/mit/xorg/server/xorg-server/hw/xfree86/Makefile    23 Sep 2008 
00:44:27 -0000
@@ -12,6 +12,7 @@
 .include "../../Makefile.Xserver"
 
 PROG=          Xorg
+BINOWN=                root
 BINMODE=       4711
 
 .PATH:         ${X11SRCDIR.xorg-server}/hw/xfree86