From owner-freebsd-security  Fri Oct 19 12:35:13 2001
Delivered-To: freebsd-security@freebsd.org
Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31])
	by hub.freebsd.org (Postfix) with ESMTP id 5282F37B407
	for <security@FreeBSD.ORG>; Fri, 19 Oct 2001 12:35:11 -0700 (PDT)
Received: from corona.cs.wm.edu (corona [128.239.2.50])
	by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id f9JJY3q22851
	for <security@FreeBSD.ORG>; Fri, 19 Oct 2001 15:34:03 -0400 (EDT)
Received: (from zvezdan@localhost)
	by corona.cs.wm.edu (8.11.6/8.9.1) id f9JJZAZ03065
	for security@FreeBSD.ORG; Fri, 19 Oct 2001 15:35:10 -0400
Date: Fri, 19 Oct 2001 15:35:10 -0400
From: Zvezdan Petkovic <zvezdan@CS.WM.EDU>
To: security@FreeBSD.ORG
Subject: Re: KCheckPass -- make it setuid root or not?
Message-ID: <20011019153510.A3031@corona.cs.wm.edu>
Mail-Followup-To: security@FreeBSD.ORG
References: <20011019120706.T25747@squall.waterspout.com> <20011019133826.O4565-100000@palanthas.neverending.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20011019133826.O4565-100000@palanthas.neverending.org>; from ftobin@neverending.org on Fri, Oct 19, 2001 at 01:41:34PM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Fri, Oct 19, 2001 at 01:41:34PM -0400, Frank Tobin wrote:
> Will Andrews, at 12:07 -0500 on 2001-10-19, wrote:
> 
>    OK, so I keep getting mail every now and then from people who can't
>    figure out why kcheckpass / kscreensaver won't authenticate their
>    password(s).  It's because I decided to play it safe and made
>    kcheckpass non setuid root, which it needs in order to call
>    getpwnam().
> 
> Why would you choose to make it non setuid root?  Isn't the warning that
> is associated with all setuid-installed programs enough?  Not installing
> it setuid-root would be like installing sudo without setuid; it's
> pointless without the bit set.
> 

Or a similar reasoning: Is it any safer to have xterm or rxvt run as
suid than kcheckpass?

-- 
Zvezdan Petkovic <zvezdan@cs.wm.edu>
http://www.cs.wm.edu/~zvezdan/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message