Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!apple!agate!ICSI.Berkeley.EDU!stolcke
From: stolcke@ICSI.Berkeley.EDU (Andreas Stolcke)
Newsgroups: comp.windows.x
Subject: Re: NOTE: security problem with some setuid X clients under SunOS 4.1
Message-ID: <1990Dec20.201523.21679@agate.berkeley.edu>
Date: 20 Dec 90 20:15:23 GMT
References: <9012201420.AA14517@expire.lcs.mit.edu>
Sender: usenet@agate.berkeley.edu (USENET Administrator)
Reply-To: stolcke@ICSI.Berkeley.EDU (Andreas Stolcke)
Organization: International Computer Science Institute, Berkeley, CA
Lines: 30

In article <9012201420.AA14517@expire.lcs.mit.edu>, rws@EXPO.LCS.MIT.EDU (Bob Scheifler) writes:
|> There is a security problem with certain X clients running under SunOS 4.1.
|> The problem only affects setuid programs that have been linked with relative -L
|> shared library paths.  xterm and xload are possible candidates, from the core
|> MIT X distribution.  IF you are using shared X libraries, AND you have installed
|> xterm and/or xload as setuid programs, then please do one of the following:
   [...]
|> There is a third option, which is to link the programs only with absolute
|> library paths.  This only works if reasonable versions of the libraries are
|> already installed at the time that you link the program.  Since this option
|> introduces possibilities of link errors (depending on your environment), and
|> it is poor build practice to forcibly install libraries except during an
|> install phase, I am not providing Imakefiles details for this option, but
|> you may want to consider this option (given that Option 1 has a performance
|> penalty) if you do not feel comfortable with the consequences of Option 2.

IMHO, the drawbacks of options 1 and 2 are indeed well worth the trouble of
pursueing option3.  If my understanding of Sun's shared libs and the X
build process is correct, option 3 should be trivial to implement:
just type xmkmf in the xterm and xload directories and recompile.
If imake config files are set up correctly this should cause libraries to be
searched for in the trusted places only or in some directory specified
by absolute path (e.g., LoaderLibPrefix is -L/usr/local/X11R4/lib in our environment). What's the big deal? 

Please correct me if I'm wrong.

-- 
Andreas Stolcke
International Computer Science Institute	stolcke@icsi.Berkeley.EDU
1957 Center St., Suite 600, Berkeley, CA 94704	(415) 642-4274 ext. 126