[ On Wednesday, January 2, 2002 at 22:34:08 (-0800), Aaron J. Grier wrote: ]
> Subject: Re: xterm setuid and ssh -X
>
> On Fri, Dec 21, 2001 at 04:37:32PM -0500, Jan Schaumann wrote:
> 
> > Could somebody reveal what the common consensus (aside from "don't use
> > xterm") is on this (and on forwarding X via ssh)?
> 
> xterm writes to utmp / wtmp, so is suid root for that...  for better or
> worse.

For worse, obviously.  Far worse.  What a horribly gargantuan amount of
code, which deals almost exclusively with both user input and network
data, to run as root!

However that's not the real reason (only a tiny part of the poor excuse).

The real reason xterm runs as root on *BSD is to set the ownership on
the tty device (and/or to revoke(2) it -- xterm does the revoke(2) first
if I'm not mistaken by the twisty maze of code where it does this, so it
has to be running as root when it does that too).

With a proper grantpt() implementation, and the special [uw]tmp&lastlog
group owner such as "utmp", then a set-group-id "utmp" xterm would be
more than sufficient (though even the [uw]tmp&lastlog files could be
more safely updated by helper program too).

On some systems I've had my [uw]tmp and lastlog files writable by a
special "utmp" group for quite some time, and /var/run/utmp is already
owned and group writable by 'utmp' on "standard" NetBSD.

I started working on all of this a very long time ago but got frustrated
by the horrible maze of very poorly ported code in xterm (though
obviously at no fault of its current maintainer -- it's history is long
and disgusting).  It's almost as bad as some of C-Kermit's internals.

Of course the lack of grantpt was kind of a hold-up too, though I think
there are already suitable implementations available under reasonable
terms.

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods@acm.org>;  <g.a.woods@ieee.org>;  <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>