From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id EB5561381FA for ; Mon, 31 Dec 2012 14:07:42 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 38A8E21C043; Mon, 31 Dec 2012 14:07:27 +0000 (UTC) Received: from iguard11-30.hkbn.net (iguard11-30.hkbn.net [210.6.3.30]) by pigeon.gentoo.org (Postfix) with ESMTP id 6BF2CE05AF for ; Mon, 31 Dec 2012 14:06:12 +0000 (UTC) Received: from outguard02.hkbn.net ([203.186.94.188]) by iguard11.hkbn.net with ESMTP; 31 Dec 2012 22:06:10 +0800 Received: from outguard02.hkbn.net (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B3F6C218054 for ; Mon, 31 Dec 2012 22:06:10 +0800 (HKT) Received: from smtp1o.ctimail.com (unknown [203.186.94.57]) by outguard02.hkbn.net (Postfix) with ESMTP id 875D6218051 for ; Mon, 31 Dec 2012 22:06:10 +0800 (HKT) Received: from gentoo-main.kwkh-home (183178212219.ctinets.com [183.178.212.219]) by smtp1o.ctimail.com (8.14.5/8.14.5) with ESMTP id qBVE666N012177 for ; Mon, 31 Dec 2012 22:06:09 +0800 Date: Mon, 31 Dec 2012 22:06:00 +0800 From: kwkhui@hkbn.net To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Heads up if you start X with startx; xorg-server suid flag Message-ID: <20121231220600.52151012@gentoo-main.kwkh-home> In-Reply-To: <20121231112912.062ea9d2@khamul.example.com> References: <20121231062817.GA2646@waltdnes.org> <20121231064747.GC2646@waltdnes.org> <50E1454E.8000509@gmail.com> <20121231100340.1ce165ea@khamul.example.com> <20121231165347.063414d3@gentoo-main.kwkh-home> <20121231112912.062ea9d2@khamul.example.com> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.12; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA512; boundary="Sig_/y+GOtH55Aj9Z7vtzuKinEQe"; protocol="application/pgp-signature" X-TM-AS-Product-Ver: IMSVA-8.2.0.1391-7.0.0.1014-19496.007 X-TM-AS-Result: No--14.615-9.9-31-10 X-imss-scan-details: No--14.615-9.9-31-10;No--14.615-5.0-31-10 X-TMASE-Version: IMSVA-8.2.0.1391-7.0.1014-19496.007 X-TMASE-Result: 10--14.614500-5.000000 X-TMASE-MatchedRID: nVQUmLJJeyYOwH4pD14DsPHkpkyUphL9LC92/N1OWlme9toQ6h6LExwA lHA73FsgpHvdAjbW53/UccFptPk3KfZomtZBUIXQRwnOBy9RhK4Lce5ZyDJAJrUV4VfJ6SB0G5n Mpi7NkPxJcEqSUWiQR23Dgz63ntEqh+hScQopRJnG9W0D68BZzCAiV9lwjDugZGKcHUyeN32fYw IIcLjjbaGojiMqgRvCvECLuM+h4RB+3BndfXUhXQ== X-Archives-Salt: e716df7e-13ba-43ab-8384-a42e4f11b03d X-Archives-Hash: dfa60bf59bd71e173053e96f0925b19f --Sig_/y+GOtH55Aj9Z7vtzuKinEQe Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Mon, 31 Dec 2012 11:29:12 +0200 Alan McKinnon wrote: > On Mon, 31 Dec 2012 16:53:47 +0800 > kwkhui@hkbn.net wrote: >=20 > > On Mon, 31 Dec 2012 10:03:40 +0200 > > Alan McKinnon wrote: > >=20 > > > It's not in the profile, the xorg-server ebuild sets USE=3D"suid" on > > > by default. > > >=20 > > > Most likely is that Walter has USE=3D"-suid" in his make.conf and > > > sets it back on for things he's checked out personally. Meaning > > > that in this case one slipped through. > >=20 > > I suspect it is a USE=3D"-* (blah)" rather than an explicit > > USE=3D"-suid" in the make.conf file. > >=20 > > One question though --- should the xorg-server ebuild be such that > > IUSE=3D"(blah) +suid" when using a hardened-profile? >=20 > That already has a de-facto answer; USE=3D"suid" must be on by default > as without it users cannot run a desktop (xorg-server does not yet run > without root permissions) But(!) if one uses a login manager, xorg server would only be ever be run by root, right? Hence the use flag rather than a must like, e.g., sys-apps/shadow (and the question whether the dangerous suid should be set in desktop profiles instead of default on even for hardened). Kerwin. --Sig_/y+GOtH55Aj9Z7vtzuKinEQe Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBCgAGBQJQ4ZvIAAoJEN8jXmjJyWMkZi4P+gNLCR5Vvo0PExquuAsJf8EV wYoOJW8GAUC2i8f238IC75Dpi2BKjeAWNyuz0INrKt75QKehMSGfYsJlKxJIceTt sqCB09apN48suw9Tt0YyiQHavNtIzAGtdMlLdGTXKr1BehZ6j7ZW6Mu8P7LDiaHX mOM5hgX4zvAPS36nFA463pNEtsttqYqCR2LdT+6h1uBQ50cxprYt6samSg+pWNjX x7NN40v4Iv0c0bVAgBTOgRJQutsS+4IoslpXI653LsmLAokPlapMxC046l8TqUKj OZfpe9CmLAAX7APeFibMr6pWukg8V/gOgQ90qwjiTKWOrzvgF6d+TalFICpVm+e+ nRwGHRBMRWXTtAzAvnYs8TVBbzterJzAJWQMIk99KmMzpRHwokmYoPRT6JdqjhwE iRVyptbXQ3sY//da+AdNjkHHPrcNLQjrtEfN0ENiDxZyylIIkE3xwV2HA/W/Sarx a/YTc9347hP6Tf0JUv5JhHCS0dRiQhrfKNvtk3sQ/XoTfaC84FFVz9z2uisFOgCr gUy5U8ohQASgwCCdP99p67x1pmerTmQuNh/mG9bDCaF2Mpb9AvrzYbSLszNyBSyH l+wCrvFgcS8HtWrz1qwUgUv2WAKLEOVBgbId10z02qKSH3Yczoh2mjzf+LW16Q4J z01OEPKhGhTrt6OoTvzo =aDrQ -----END PGP SIGNATURE----- --Sig_/y+GOtH55Aj9Z7vtzuKinEQe--