https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c0 Summary: remove Xorg setuid bit Classification: openSUSE Product: openSUSE 11.4 Version: Factory Platform: Other OS/Version: Other Status: NEEDINFO Severity: Normal Priority: P5 - None Component: X.Org AssignedTo: lnussel@novell.com ReportedBy: lnussel@novell.com QAContact: xorg-maintainer-bugs@forge.provo.novell.com CC: security-team@suse.de InfoProvider: sndirsch@novell.com Found By: --- Blocker: --- Time to re-evaluate the need for a setuid bit on /usr/bin/Xorg. It's needed for starting X as unprivileged user, e.g. via startx. That method is deprecated in favor of a display manager since years. Also modern environments rely on device ACLs and polkit privileges which in turn depend on consolekit tracking the active console. That doesn't work with startx anyways. So the setuid bit is of limited use by default anyways. No setuid bit also prevents exploitation of the kernel-heap-stack overflow problem via X as X cannot be started in a user controlled environment then. Therefore I'd like to remove the setuid bit on Xorg for 11.4 from /etc/permissions.easy (no packaging change in X needed). Those who really need it can still set it again in permissions.local. Any objections or concerns? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.