Bug#400632: x11-common: should not ship a SUID root binary
On Fri, Mar 14, 2008 at 11:42:41 +0100, Julien Cristau wrote: I can't see the reason why the X libraries (Pre-)Depend on x11-common. Actually, there's a reason for (at least) libice6 to keep a dependency: /etc/init.d/x11-common sets up the /tmp/.ICE-unix directory. Anyway, next upload of the xorg package moves dexconf and /usr/bin/X to xserver-xorg instead of x11-common. Cheers, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400632: x11-common: should not ship a SUID root binary
On Fri, Mar 14, 2008 at 11:42:41AM +0100, Julien Cristau wrote: On Mon, Feb 4, 2008 at 21:02:01 -0800, Steve Langasek wrote: The problem is not that /usr/bin/X is suid-root. The problem is that /usr/bin/X is now shipped in a package which is a dependency of *all* of the X libraries, so you can no longer have a system with X clients only without pulling in an extra suid binary you don't need. I can't see the reason why the X libraries (Pre-)Depend on x11-common. AFAICT the Pre-Dependency is needed for packages installing stuff in /usr/include/X11 and /usr/lib/X11 to ensure that they are proper directories and not symlinks to /usr/X11R6. That doesn't apply to libx11-6 and friends. That's fine with me if it can be resolved that way. I can't recall now any reason for the runtime library packages to need this pre-depends, but it seems reasonable to drop it at this point regardless. Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400632: x11-common: should not ship a SUID root binary
On Mon, Feb 4, 2008 at 21:02:01 -0800, Steve Langasek wrote: The problem is not that /usr/bin/X is suid-root. The problem is that /usr/bin/X is now shipped in a package which is a dependency of *all* of the X libraries, so you can no longer have a system with X clients only without pulling in an extra suid binary you don't need. I can't see the reason why the X libraries (Pre-)Depend on x11-common. AFAICT the Pre-Dependency is needed for packages installing stuff in /usr/include/X11 and /usr/lib/X11 to ensure that they are proper directories and not symlinks to /usr/X11R6. That doesn't apply to libx11-6 and friends. Cheers, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400632: x11-common should not ship a SUID root binary
On Mon, Feb 4, 2008 at 18:23:14 -0500, David Nusinow wrote: The easy and obvious fix is to just ship this with xserver-xorg instead. To be honest, I'm not sure why this ended up in x11-common instead of here. It used to be in xserver-common, which was removed and folded in x11-common at some point between sarge and etch. It was there for the same reason dexconf was in xserver-common, which is support for more than one X server. Cheers, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400632: x11-common should not ship a SUID root binary
Package: x11-common Severity: serious tags 400632 -wontfix Greetings, The setuid usr/bin/X binary should not be shipped with x11-common because it's not *needed* for X11 clients. That by itself is a good enough reason. Put it in xserver-xorg-core or similar, not in x11-common. Additionally, x11-common gets pulled in on server for things like libgd-xpm, which isn't entirely unreasonable if someone wants to generate an X pixmap on a server. One could also have, I dunno, *xterm* installed on a server for clients to use without have an X server installed on the same server. Unless xterm *requires* usr/bin/X, it shouldn't be installed as part of something xterm depends on. Thanks, Stephen signature.asc Description: Digital signature
Bug#400632: x11-common should not ship a SUID root binary
On Mon, Feb 04, 2008 at 12:53:35PM -0500, Stephen Frost wrote: Package: x11-common Severity: serious tags 400632 -wontfix Greetings, The setuid usr/bin/X binary should not be shipped with x11-common because it's not *needed* for X11 clients. That by itself is a good enough reason. Put it in xserver-xorg-core or similar, not in x11-common. Additionally, x11-common gets pulled in on server for things like libgd-xpm, which isn't entirely unreasonable if someone wants to generate an X pixmap on a server. One could also have, I dunno, *xterm* installed on a server for clients to use without have an X server installed on the same server. Unless xterm *requires* usr/bin/X, it shouldn't be installed as part of something xterm depends on. The easy and obvious fix is to just ship this with xserver-xorg instead. To be honest, I'm not sure why this ended up in x11-common instead of here. - David Nusinow -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400632: x11-common: should not ship a SUID root binary
Hi Brice, tags 400632 +wontfix thank you We are not going to remove the SUID bit because of this. The actual problem here is: why do you need x11-common installed on this system? Probably because of complex dependencies between all X packages? The upcoming xbase-clients split might make things better in the near future. The problem is not that /usr/bin/X is suid-root. The problem is that /usr/bin/X is now shipped in a package which is a dependency of *all* of the X libraries, so you can no longer have a system with X clients only without pulling in an extra suid binary you don't need. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400632: x11-common: should not ship a SUID root binary
tags 400632 +wontfix thank you We are not going to remove the SUID bit because of this. The actual problem here is: why do you need x11-common installed on this system? Probably because of complex dependencies between all X packages? The upcoming xbase-clients split might make things better in the near future. Brice -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400632: x11-common: should not ship a SUID root binary
Package: x11-common Version: 1:7.1.0-7 Severity: wishlist Hi, x11-common installs the /usr/bin/X wrapper with SUID root permissions: -rwsr-sr-x 1 root root 18416 2006-11-19 01:58 /usr/bin/X This is fine on a workstation where one wants a X server. However, on a server that does not need a X server, but only X clients, this is a security risk that I would prefer not to worry about (BTW, see bug #396958). -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (100, 'unstable'), (99, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-2-686 Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Versions of packages x11-common depends on: ii debconf [debconf-2.0] 1.5.9 Debian configuration management sy ii debianutils 2.17.3 Miscellaneous utilities specific t ii lsb-base 3.1-22 Linux Standard Base 3.1 init scrip x11-common recommends no packages. -- debconf information: x11-common/experimental_packages: x11-common/xwrapper/actual_allowed_users: console x11-common/xwrapper/nice_value/error: x11-common/xwrapper/allowed_users: Console Users Only x11-common/xwrapper/nice_value: 0 * x11-common/upgrade_issues: * x11-common/x11r6_bin_not_empty: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]