mccalpin@perelandra.cms.udel.edu (John D. McCalpin) (03/01/91)
I was doing a routine security check on my machine after I observed some suspicious activity, and I found a file '/usr/bin/under' which is set up to setuid to root. I could not find documentation for this file. Does it belong there? I also found '/usr/bin/X11/xterm' set up as setuid to root. Do I lose any functionality by turning this 'feature' off? Thanks for any help! -- John D. McCalpin mccalpin@perelandra.cms.udel.edu Assistant Professor mccalpin@brahms.udel.edu College of Marine Studies, U. Del. J.MCCALPIN/OMNET
jim@baroque.Stanford.EDU (James Helman) (03/03/91)
You lose the ability to log the user session in /etc/utmp and /etc/wtmp, and thus lose the ability to "see" the user with "w" and "who". Depending on your taste, this may or may not be a worse security problem than having "xterm" be setuid root. The security loss from this is minimal as a user can inhibit utmp logging by invoking xterm with the '-ut' switch. As far as I know, xterm does not log to wtmp at all. Another problem (which also occurs under SunOS) is that if xterm is not setuid root, the root ownership and 666 mode of the pty are not changed. This breaks mesg(1) and biff(1) and allows any user to read or write to your pty. This does does have some security ramifications. On the other hand, I don't know of any security holes in xterm related to it being setuid root. -jim Jim Helman Department of Applied Physics Durand 012 Stanford University FAX: (415) 725-3377 (jim@KAOS.stanford.edu) Work: (415) 723-9127