Package: xserver-xorg
Version: 1:7.7+7
Severity: wishlist
File: /usr/bin/X
As explained in <https://bugs.freedesktop.org/show_bug.cgi?id=83849>
I think that because setuid executables create a trust boundary
(they are run in an environment chosen by their less privileged parent),
they should filter the environment variables seen by their linked libraries
(in this case virtually none) and their child processes, via a whitelist.
(Actually, I'd prefer /usr/bin/X to just not be setuid, because when
run by display managers, it doesn't need to be - but I realise that would
break startx/xinit, and some people like those. This is the next best thing.)
S
--
To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/20140914224340.ga1...@reptile.pseudorandom.co.uk
