Before anyone makes any "fixes", please explain why this is even
considered a security hole. Frankly I don't see it. It's not like
FvwmM4 is being run setuid to root (or anyone else). If fvwm is
started from a shell prompt, or a .xinitrc file, then presumably the
user's path will be properly set for what the user believes is the
correct m4 program. If an attacker can modify the directories in that
user's path such that a different m4 is run then the attacker has got
that user hosed already and nothing can be done to FvwmM4 that will
help the user. If fvwm is started from xdm or dtlogin and the user's
path is not set, then only system directories should be available, and
if none of those contains m4 then the user will probably get an error
message and figure out how to fix it :-) If an attacker can modify
those system directories, then the attacker has root and the game's
over.
In short, I don't see allowing m4 to be determined by PATH to be a
security hole in this particular case. If there's something else I'm
missing, I'd be glad to know of it.
Thanks,
--
Dave Goldberg
Post: The Mitre Corporation\MS B305\202 Burlington Rd.\Bedford, MA 01730
Phone: 617-271-3887
Email: dsg_at_mitre.org
--
Visit the official FVWM web page at <URL:http://www.hpc.uh.edu/fvwm/>.
To unsubscribe from the list, send "unsubscribe fvwm" in the body of a
message to majordomo_at_hpc.uh.edu.
To report problems, send mail to fvwm-owner_at_hpc.uh.edu.
Received on Wed Dec 04 1996 - 11:04:16 GMT