Date: Wed, 22 Mar 2000 18:21:43 -0000 From: egmont@FAZEKAS.HU Subject: gpm-root To: BUGTRAQ@SECURITYFOCUS.COM Hi! I've sent report about the following security hole to the authors of gpm, but they seemed to ignore the problem. The problem applies to every gpm version known by me, for example 1.18.1 and 1.19.0. To exploit this problem, gpm-root must be running on a machine and the user needs both login to that machine and physical access to the keyboard and mouse. gpm-root is a beautiful tool shipped in the gpm package. It pops up beautiful menus based on each user's own config file when Ctrl+Mousebutton is pressed on the console. When the user selects one of his/her favourite utility from his/her own list, gpm-root starts this process with the group and supplementary groups of the gpm-root daemon. gpm-root calls setuid() first and setgid() afterwards, hence the later one is unsuccessful. The authors completely forgot about calling initgroups(). bye Egmont Koblinger