On Wednesday 19 December 2007 23:57:29 Tollef Fog Heen wrote: > Why do you believe this is a security hole?
Quotation from the Xwrapper.conf man page (man 5 Xwrapper.config) <<Since the X server requires superuser privileges, it may be unwise to permit just any user on the system to execute it. Even if the X server is not exploitable in the sense of permitting ordinary users to gain elevated privileges, a poorly-written or insufficiently-tested hardware driver for the X server may cause bus lockups and freeze the system, an unpleasant experience for anyone using it at the time.>> So, it means that anybody, including a process without console, can start the X server. The target for UME is mobile devices, which usually should have MORE SECURITY in place than normal computers. This is why the big manufacturers like Nokia are obsessed with security of their terminal solutions, and linux didn't penetrate too much yet. I really don't understand why are you opposing my solution? It is more elegant and it doesn't break the debian/xorg "default rules". Do you have any arguments against my proposed fix? Cheers, Peter -- Peter Antoniac, PhD https://launchpad.net/~theseinfeld GIT/CS a C+++ UL+++$ w--- PGP++ e++++ -- Ubuntu-mobile mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-mobile
