On Thu, Jul 15, 2010 at 10:35:30AM +0100, Ben Price
<[email protected]> wrote:
> On Thu, Jul 15, 2010 at 02:09:23AM +0200, Marc Lehmann wrote:
> > Accepting synthetic events is, of course, not a security hole.
>
> Perhaps I am confused, but wouldn't this mean any program could run
> arbitary commands via urxvt? Obviously this wouldn't normally be a
In the same way that the shell will execute arbitrary commands for you
when you give somebody else access to it.
> problem, but what about if I had a ``su'' session open? This would
> (I think) allow arbitary commands to be run as root.
Same thing as when you executed the wrong su command - you get to chose a
safe password, a safe authentication method etc. If you run a shell without
authentication on some tcp port, do you also blame the shell to accept events
from other programs via tcp? Surely not.
The comment in the xterm manpage are from a time where anybody could
connect to your display form anywhere in the world without asking you, and
it was thought that disabling synthetic events would somehow help. This
has been proven wrong many times, and I don't think why this is still in
the xterm manpage.
--
The choice of a Deliantra, the free code+content MORPG
-----==- _GNU_ http://www.deliantra.net
----==-- _ generation
---==---(_)__ __ ____ __ Marc Lehmann
--==---/ / _ \/ // /\ \/ / [email protected]
-=====/_/_//_/\_,_/ /_/\_\
_______________________________________________
rxvt-unicode mailing list
[email protected]
http://lists.schmorp.de/cgi-bin/mailman/listinfo/rxvt-unicode
