Date: Thu, 23 Mar 2000 21:40:54 +0100 From: Alessandro Rubini <rubini@LINUX.IT> Subject: Re: gpm-root To: BUGTRAQ@SECURITYFOCUS.COM Hello Egmont. > I've sent report about the following security hole to the > authors of gpm, but they seemed to ignore the problem. That's me, mainly. Unfortunately, I don't have any track of your message about gpm-root. > gpm-root is a beautiful tool shipped in the gpm package. Not really that beautiful. It was just meant to be a demo, in the hope someone will develop a real root-window tool. Anyways, it's distributed, so I care(d) about its bugs. > gpm-root calls setuid() first and setgid() afterwards, hence > the later one is unsuccessful. The authors completely forgot > about calling initgroups(). Thanks for your report, I'll fix it for 1.19.1, which I plan to release in a few days. Since gpm is officially unmaintained, gpm-1.19.1 will be the last one, hopefully, but I already had it on schedule. I want to thank Servio Medina for forwarding your message, as I unsubscribed from bugtraq not long ago, due to excessive email load. /alessandro