X.org 6.9 - 7.x root exploit

[SecretShop]

Because in the C language it is not necessary to add syntax to refrence a function my memory address the line
if (geteuid == 0) {  made it into the X code.  This statement compares the memory address of the geteuid function with zero (NULL in ansi C) and returns false always.  Because of this, X does not check the effective uid properly and is therefore vunerable to exploitation on versions of the system where the bug has not been corrected.  It should state :
if (geteuid() == 0) to determine if the user is root or not by effective user id.

[iago]

I don't think I see the implications of that. 

Why would they be running X as root in the first place?  Running a program like X, which is designed to be run as a user, as root, it just asking for something bad to happen. 

[MyndFyre]

Because in the C language it is not necessary to add syntax to refrence a function my memory address the line
if (geteuid == 0) {  made it into the X code.  This statement compares the memory address of the geteuid function with zero (NULL in ansi C) and returns false always.  Because of this, X does not check the effective uid properly and is therefore vunerable to exploitation on versions of the system where the bug has not been corrected.  It should state :
if (geteuid() == 0) to determine if the user is root or not by effective user id.

Ahh, another failure of the haphazard typing of C.

Why would they be running X as root in the first place?  Running a program like X, which is designed to be run as a user, as root, it just asking for something bad to happen. 

Because they don't know any better?  Remember iago, if you want Linux to be used by the masses, you need to dumb it down for them.

Besides that, I regularly run X stuff while I'm su-ing to edit .conf files.  X as me->Term->su->emacs (which launches xemacs). 

Now not knowing where this kind of code is, I can't say whether that kind of root running would be affected.  I'm just saying, sometimes you're in X as root.  (Is your security context associated on a per-thread basis, like in Windows?)

[Newby]

Now not knowing where this kind of code is, I can't say whether that kind of root running would be affected.  I'm just saying, sometimes you're in X as root.  (Is your security context associated on a per-thread basis, like in Windows?)

He meant you're running the X Window System in whole as root. Not just a window.

IIRC, this code is in the basis of the X, not just a program/window itself.

[iago]

I read more about this, and I was mistaken.  Xorg is setUID and runs in root context, so this could indeed be a big problem.  My bad there. 

Because they don't know any better?  Remember iago, if you want Linux to be used by the masses, you need to dumb it down for them.

The default configuration is usually what people use, and I didn't think it was root by default.  It is, and it is by necessity, I made a mistake.

Besides that, I regularly run X stuff while I'm su-ing to edit .conf files.  X as me->Term->su->emacs (which launches xemacs). 

Now not knowing where this kind of code is, I can't say whether that kind of root running would be affected.  I'm just saying, sometimes you're in X as root.  (Is your security context associated on a per-thread basis, like in Windows?)

I'm not sure exactly how X works, but I don't think running a GUI-based program as root is the same.  When a program runs, it contacts X as a client, it's not actually run BY X.  That's a huge difference from Windows. 

I think that Linux does security per-process.  However, Linux is much more process-happy than Windows, and is fairly thread-hostile.  Spawning a process on Linux is extremely cheap. 

[Ergot]

There's a Slashdot article somewhere around saying it was found by some machine or w/e. I not totally concerned since it was patched and I believe I am patched as well.

[iago]

There's a Slashdot article somewhere around saying it was found by some machine or w/e. I not totally concerned since it was patched and I believe I am patched as well.

Yeah, the US Government developed a program for scanning software (particularly opensource) for vulnerabilities.  They've found plenty of vulnerabilities in Linux, X, Ethereal, and others. 

[Joe]

Why would they be running X as root in the first place?

Ubuntu's gdm (Gnome Desktop Manager) is run as root, then allows the user to log in through a "welcome screen", sort of like Windows XP.

[cheeseisfun]

There's a Slashdot article somewhere around saying it was found by some machine or w/e. I not totally concerned since it was patched and I believe I am patched as well.

Yeah, the US Government developed a program for scanning software (particularly opensource) for vulnerabilities.  They've found plenty of vulnerabilities in Linux, X, Ethereal, and others. 

Are you talking about fuzzers? There are many fuzzers, and I don't know of one that was developed by the government. What is it called?

Why would they be running X as root in the first place?

Ubuntu's gdm (Gnome Desktop Manager) is run as root, then allows the user to log in through a "welcome screen", sort of like Windows XP.

Ok... that's neat.

Sorry for bumping this thread, btw.