Date: Sun, 18 Sep 2011 01:06:09 +0200 From: C-S <c-s@c-s.li> To: freebsd-ports@freebsd.org Cc: x11@freebsd.org Subject: xorg-server setuid -- denial of service attack Message-ID: <1316300769.6731.11.camel@laptop>
next in thread | raw e-mail | index | archive | help
Today, I discovered by accident that having setuid option set on xorg-server -- which is the default option -- may be dangerous. (I guess you all knew that already :-). Another logged in user "killed" my screen by typing: X :1 After turning setuid off, this denial of service attack was not possible anymore. To be honest, I was really surprised that a regular user with no special permissions can disrupt other people's x11 sessions that easily. Although, let me be precise here. It seems to be that he actually opened another X11 session (which is the idea of this command I guess). However, none of those sessions were displayed anymore on the screen. Am I missing anything in my security configuration? What do you think? Cheers, Carlo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1316300769.6731.11.camel>