urxvt synthetic events - security hole?
Marc Lehmann
schmorp at schmorp.de
Fri Jul 16 01:45:15 CEST 2010
On Thu, Jul 15, 2010 at 10:35:30AM +0100, Ben Price <ben.r.price at btinternet.com> wrote:
> On Thu, Jul 15, 2010 at 02:09:23AM +0200, Marc Lehmann wrote:
> > Accepting synthetic events is, of course, not a security hole.
>
> Perhaps I am confused, but wouldn't this mean any program could run
> arbitary commands via urxvt? Obviously this wouldn't normally be a
In the same way that the shell will execute arbitrary commands for you
when you give somebody else access to it.
> problem, but what about if I had a ``su'' session open? This would
> (I think) allow arbitary commands to be run as root.
Same thing as when you executed the wrong su command - you get to chose a
safe password, a safe authentication method etc. If you run a shell without
authentication on some tcp port, do you also blame the shell to accept events
from other programs via tcp? Surely not.
The comment in the xterm manpage are from a time where anybody could
connect to your display form anywhere in the world without asking you, and
it was thought that disabling synthetic events would somehow help. This
has been proven wrong many times, and I don't think why this is still in
the xterm manpage.
--
The choice of a Deliantra, the free code+content MORPG
-----==- _GNU_ http://www.deliantra.net
----==-- _ generation
---==---(_)__ __ ____ __ Marc Lehmann
--==---/ / _ \/ // /\ \/ / schmorp at schmorp.de
-=====/_/_//_/\_,_/ /_/\_\
More information about the rxvt-unicode
mailing list