[9818] in bugtraq
Re: Linux /usr/bin/gnuplot overflow
daemon@ATHENA.MIT.EDU (Rich Lafferty)
Fri Mar 5 12:11:05 1999
Mail-Followup-To: BUGTRAQ@netspace.org, speed@linux.dpilink.com
Date: Fri, 5 Mar 1999 03:46:34 -0500
Reply-To: Rich Lafferty <rich@VAX2.CONCORDIA.CA>
From: Rich Lafferty <rich@VAX2.CONCORDIA.CA>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.93.990304194713.20020A-100000@linux.dpilink.com>;
from "Speed" on Thu, Mar 04, 1999 at 08:04:49PM
Quoting Speed (speed@LINUX.DPILINK.COM) from Thu, Mar 04, 1999 at 08:04:49PM -0500:
> It is interesting to note that the gnuplot on my system is NOT suid root
> (nor have I modified the default installed settings). My version is 3.5
> patchlevel 3.50.1.17 (i.e. very old). The distribution is Slackware.
>
> I agree with xnec in that I can see no good reason to make it suid root.
> Anyone know why this was done?
Debian Linux's gnuplot README says:
In order to enable ordinary users to use SVGA console graphics,
gnuplot needs to be set up as setuid root. Please note that this is
usually considered to be a security hazard and is not recommended
unless you know what you are doing.
Running it under X11 doesn't require gnuplot to be suid root. FWIW,
when installing gnuplot from the Debian package, dpkg asks
Currently, gnuplot is not set up as setuid root. Good.
Do you want to change it? (y/n/?) [n]
The ? option gives:
In order to enable ordinary users to use SVGA console graphics,
gnuplot needs to be set up as setuid root. Please note that
this is usually considered to be a security hazard.
which leads me to conclude that at least one person went "hm, that's
not right". I couldn't find anything one way or another in gnuplot's
documentation, though. CONSOLE GROUP, people.
\Rich
--
Rich Lafferty ---------------------------------------------------------
IITS/Computing Services | "Oderint dum metuant."
Concordia University | -- Lucius Accius (170-90 BC).
rich@vax2.concordia.ca -----------------------------------------[McQ]--
