From proff  Tue Aug 27 10:49:19 1996
Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id KAA08435 for best-of-security; Tue, 27 Aug 1996 10:49:19 +1000
Received: from brimstone.netspace.org ([128.148.157.143]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id CAA05632 for <proff@SUBURBIA.NET>; Tue, 27 Aug 1996 02:46:33 +1000
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <23198-23817>; Mon, 26 Aug 1996 12:43:34 -0500
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id MAA11328; Mon, 26 Aug 1996 12:39:16 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with
          spool id 291992 for BUGTRAQ@NETSPACE.ORG; Mon, 26 Aug 1996 11:55:28
          -0400
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org
          (8.7/8.6.12) with SMTP id LAA07137 for <BUGTRAQ@NETSPACE.ORG>; Mon,
          26 Aug 1996 11:52:35 -0400
Approved-By: ALEPH1@UNDERGROUND.ORG
Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by netspace.org
          (8.7/8.6.12) with SMTP id DAA29383 for <BUGTRAQ@netspace.org>; Mon,
          26 Aug 1996 03:13:18 -0400
Received: by mercury.Sun.COM (Sun.COM) id AAA06339; Mon, 26 Aug 1996 00:13:15
          -0700
Received: from albano by Holland.Sun.COM (SMI-8.6/SMI-SVR4-sd.fkk200) id
          JAA05403; Mon, 26 Aug 1996 09:13:06 +0200
Received: from holland by albano (SMI-8.6/SMI-SVR4-se.fkk201) id JAA01633; Mon,
          26 Aug 1996 09:13:04 +0200
Approved-By:  Casper Dik <casper@HOLLAND.SUN.COM>
Message-ID: <199608260713.JAA01633@albano>
Date: 	Mon, 26 Aug 1996 09:13:10 +0200
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
Sender: proff
From: Casper Dik <casper@holland.Sun.COM>
Subject:      Re: Vulnerability in the Xt library
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To:  Your message of "Sun, 25 Aug 1996 22:06:07 MDT."
              <199608260406.WAA06840@rover.village.org>

>Or fix xterm such that it doesn't need to be setuid.  This usually
>involves hacking the kernel to have saner defaults than are present in
>the BSD kernel.  If you could create a pseudo device that was owned by
>the user creating it, xterm wouldn't need to be setuid, if my look at
>the source and conversations I've had with others that understood
>xterm better than I.


System V ptys have this advantage, apart from being much easier to use
and being much more efficient (youdont' need to sewarch for one open
device, you just get  one from the kernel).

In Solaris 2.x, there are two programs that handle all of xterms needs:

        /usr/lib/pt_chmod       - for setting the ownership of a pty
        /usr/lib/utmp_update    - for updating utmp/wtmp files.

Consequently, Solaris 2.x xterm is not set-uid root.

(SunOS 4.x xterm wasn't set-uid either but it relied on a mode 666 utmp
file [bad] and kept your tty owned by rot [worse]

>This doesn't mean that one shouldn't fix libXt, just that xterm,
>although careful generally, shouldn't need to be setuid root (in an
>ideal world).


Obviously we need to fix libXt.   I'm actually quiet appalted that the
X consortium introduced a new buffer overflow in XOpenDisplay in R6.

Casper