Hi, * Piotr Engelking <inkerma...@gmail.com> [2009-07-19 20:28]: > 2009/7/16 Nico Golde <n...@debian.org>: > > > This is not really a bug but a feature, you can disable it > > editing /etc/slim.conf. However I agree this is not really a > > nice feature in a default configuration. I think a big fat > > note to README.Debian should be added to warn users of the > > possible implications. > > There doesn't seem to be anything in the source or the accompanying > documentation that would suggest that the privilege elevation was > intended or expected. (I just found another RC security bug in slim > just by grepping for this. This time Debian-specific. Oh the joy...)
I didn't say it is documented, I say it should be documented. > I also find your suggestion horribly wrong on many levels. First, do > you seriously believe that users should have to read and reread on > upgrades the documentation of their, per average, 1000 installed > packages just to keep their systems reasonably secure? Well I never said it is no issue. But if it's an issue depends on your desktop environment. If you have just installed xterm you're fine and you're free to change the slim configuration to call any program you want. And it should be documented that this may have unwanted side effects depending on the terminal you use. I do not say that a more secure default doesn't make sense. But it is core functionality of the program and no bug by itself in my opinion. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
pgph1nI4mh0G6.pgp
Description: PGP signature
