Tim Tassonis timtas at cubic.ch
Sat Jun 30 14:22:09 CEST 2007

Jean-Philippe Guillemin wrote:
> Tim Tassonis wrote:
>> Hi Auke
>>> that should not be the case... a login manager should run *as* root but 
>>> certainly not be setuid root.
>> Of course, you are right. But it doesn't really matter. The point is 
>> that a user sits in front of a program that runs as root, but the user 
>> is not root. That results in the same implications as a setuid program.
> Not really :
> - A suid program can be launched by Bill and will run as if Bill was root.
> - A 754 root:root program can only be started by root. It makes a big 
> difference.

The problem is: The login program will be started autamotically, bill 
doesn't even have to start it to in order to use it.

> If the suid program has an exploitable buffer overflow problem : anybody 
> getting unprivileged access to the computer can launch the suid program 
> with appropriate shell code, and then he's root.

Same here: Anybody getting the login screen translates to any person 
getting the login screen. Fewer people will be able to, but that's not 
the point. In an office, this will be anybody being able to walk to the 
computer and switch it on.

> A program that can only be started by root is useless for somebody that 
> ... **wants** to be root ;)

The login program is started automotically, you don't even _have_ to 
start it. That's the point of a login manager.

I still think it's exactly the same as a setuid root program.


> JP
> _______________________________________________
> Xfce4-dev mailing list
> Xfce4-dev at xfce.org
> http://foo-projects.org/mailman/listinfo/xfce4-dev

More information about the Xfce4-dev mailing list