Date: Wed, 22 Mar 2000 18:21:43 -0000
From: [email protected]
To: [email protected]Subject: gpm-root
Hi!
I've sent report about the following security hole to the
authors of gpm, but they seemed to ignore the problem. The
problem applies to every gpm version known by me, for
example 1.18.1 and 1.19.0.
To exploit this problem, gpm-root must be running on a
machine and the user needs both login to that machine and
physical access to the keyboard and mouse.
gpm-root is a beautiful tool shipped in the gpm package. It
pops up beautiful menus based on each user's own config file
when Ctrl+Mousebutton is pressed on the console.
When the user selects one of his/her favourite utility from
his/her own list, gpm-root starts this process with the
group and supplementary groups of the gpm-root daemon.
gpm-root calls setuid() first and setgid() afterwards, hence
the later one is unsuccessful. The authors completely forgot
about calling initgroups().
bye
Egmont Koblinger