On 11/22/06, Alan Coopersmith <alan.coopersmith at sun.com> wrote: > > Peter Tribble wrote: > > Is there any particular reason why Xnest can't be setgid root? > > None that we know of, we've just never done a security audit on the > code that's specific to Xnest to verify that it's safe to run setgid. >
Many sites (I've done this in the past) still put users in the wheel group to control su access, so presumably mere membership of the group isn't that much of a security risk. Or, more paranoid, a group specific to the purpose could be created - and there, the worst consequence of a security problem in Xnest would be the ability to write into the .X11-* directories. -- -Peter Tribble http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/xwin-discuss/attachments/20061122/a3951652/attachment.html>
