Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!news.ececs.uc.edu!newsrelay.netins.net!newsfeed.dacom.co.kr!news.kreonet.re.kr!news.postech.ac.kr!usenet.kornet.nm.kr!agate!howland.erols.net!EU.net!news2.EUnet.fr!newsbr.eunet.fr!usenet From: fgm@osinet.fr (Frederic G. MARAND) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: X security hole- how to fix? Date: Wed, 25 Sep 1996 21:45:55 GMT Organization: Groupe SEDI / Agorus SA / OSI SARL / Lines: 20 Message-ID: <52a8ki$1vr@newsbr.eunet.fr> References: <3242b169.50203808@news.scruz.net> NNTP-Posting-Host: demo3-cng.s-ip.eunet.fr X-Newsreader: Forte Free Agent 1.0.82 >I recently setup a FreeBSD 2.1.5R machine that serves up www, ftp, >dns, and popmail. I have been tinkering with eXodus on my win95 >machine to run xclients from the bsd machine. I noticed that no >matter who I login as on the bsd machine when I start an xterm to >another machine (such as my 95 machine) that xterm has root >access. Obviously this is a BIG problem, how can I fix it? No one >besides myself and our other MIS guy will have access to shell >anyways, but I'd still like to plug the hole before it starts leaking. I think the standard solution would be not to run xterm per se, but with a limiting argument, such as: xterm -e /bin/login Failure to login will close the xterm, and success will give the user the identity he is allowed to have. Alternatively, if you want to provide access to an application, you may use the same "-e" system and use a setuid/setgid application that will set UID and/or GID to the user/group you chose before starting the xterm.