On Tue, Jun 26, 2007 at 06:26:39PM -0400, Bill Nottingham wrote: > Miroslav Lichvar (mlichvar@xxxxxxxxxx) said: > > The problem is that setgid binaries have some environment variables > > like LD_LIBRARY_PATH and TMPDIR removed. I got bugs #229360 #243069 > > reported for xterm. Unfortunately I can't fix it unless utempter is > > accessible without setgid. Do we really need to protect the file from > > bad applications? > > > > Gnome-terminal, on the other hand, uses gnome-pty-helper binary that > > has utmp setgid. The binary is not hidden and every application can > > make entries in the utmp file. > > > > To have some consistency, either gnome-pty-helper needs to be also > > made accessible only to the utempter group and gnome-terminal is made > > setgid or utemper is made accessible to everyone and xterm drops setgid. > > The entire idea of utempter is so that the terminal *doesn't* need to be > setgid - if it's setgid, what's the point of a helper? Well, the terminal doesn't need to be setgid utmp, but only utempter. Setgid utempter allows only adding/removing entries in utmp while setgid utmp allows unrestricted access. The question is, should users be allowed to add entries in utmp without starting a terminal emulator? -- Miroslav Lichvar -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
