On Mon, 13 Jan 2003, Dr Andrew C Aitchison wrote:
>> (on my Debian 3.0 XFree86 has the mode bits 4711 -- there's no need for
>> anybody to read the binary and it makes harder, in principle, for Evil
>> Hackers to look for holes in it if they can't read it)
>>
>> I still think it would be great if the X server gave an error message
>> along the above lines -- it would even know whether the chown or chmod
>> command could be left out (if either the owner or the suid bit was already
>> correct).
>
>It isn't clear what the "correct" permissions are.
>Setting the "sticky" or suid bit (the 4 in chmod 4711) makes the machine
>slightly less secure, so you don't set it unless you need to.
The sticky bit, and the suid bit are 2 different things. Also,
in Linux systems, the sticky bit only has a meaning on
directories, but not on regular files. The sticky bit on
directories has the effect of making files only deleteable, etc.
by the owner of the files in that directory.
For the benefit of others whom might be reading this and are
unfamiliar with the somewhat mysterious sticky bit, here's a snip
from man chmod:
STICKY FILES
On older Unix systems, the sticky bit caused executable files to be
hoarded in swap space. This feature is not useful on modern VM sys-
tems, and the Linux kernel ignores the sticky bit on files. Other ker-
nels may use the sticky bit on files for system-defined purposes. On
some systems, only the superuser can set the sticky bit on files.
>Many distributions come configured to start X with xdm, kdm or
>gdm. In that case the suid bit isn't needed, since these
>programs are already running as root. You only need that bit if
>you need to allow ordinary users to run startx. On many systems
>you don't need to do that, so it is reasonable for Red Hat and
>Debian to ship XFree86 with the bit not set.
The setuid bit is required to start the server as non-root as
you've said, however if one is concerned about security on a
machine, one should not be running X as root at all on the
machine, and so making the X server mode 755 so it is only
useable by root, doesn't gain anything securitywise.
Running X as a normal user is by far much more secure than
running it as root, as the X server gives up it's priveledges
after it does the things it requires root priveledges for at
startup time.
Any machine requiring more security than that, shouldn't have X
installed on it at all (IMHO).
TTYL
--
Mike A. Harris
_______________________________________________
XFree86 mailing list
[EMAIL PROTECTED]
http://XFree86.Org/mailman/listinfo/xfree86
