ANNOUNCE: GDM, the "You didn't see that" release


Yay, there is a security problem in (not in any previous release).
When the session was run it was run with egid set to the gdm group.
Fortunately, bash drops such privilages so vast majority of setups are
safe.  It however broke failsafe gnome session.  I don't think there are
any ways to exploit it on any linux distro.  But I do encourage everyone to

And now for the standard part of the release announcement:

Ahh, so you have no clue what gdm is?  Well if you've read this far ... let's
not get into that.  Gdm is GNOME Display Manager, the little daemon that lets
you log in to your computer.  It allows xdmcp multiple login displays,
selection of languages, multiple login sessions and generally is much cooler
then any xdm clone out there, mostly cuz it isn't an xdm clone to begin with.
I mean heck, it's even got a graphical configurator, so you don't have to use
the command line to hose your system anymore.


Highlights of

- SECURITY FIX! Make sure the egid is reset to the user gid before
  starting a session.  This could present a security risk under a
  certain circumstances, that is if your /bin/sh does not drop
  privilages.  It also fixes the failsafe gnome session

- PositionX and PositionY now take negative values that work
  like standard X geometries.  A negative value is an offset from
  the right/lower edge.

Note:  Gdm2 was originally written by Martin K. Petersen <mkp mkp net>,
and is now maintained by the Queen of England.  Although when she's not
answering her email I usually cover for her.

Note2:  If installing from the tarball do note that make install
overwrites most of the setup files, all except gdm.conf and gnomerc.
It will however save backups with the .orig extension first.

Note3:  Distributors, packagers.  Please, PLEASE use the standard Gnome
script when setting things up as gnome, or at least equivalently working
scripts.  It should never be OK to just exec gnome-session, that is
considered bad form.  The script needs to read (if available) the
~/.gnomerc and otherwise read the <sysconfdir>/gdm/gnomerc file.  This
allows users and administrators to setup custom startup for gnome.


Have fun,


PS:  I blame the terrorists for this latest security hole.  But the ever
vigilant forces of good, the defenders of freedom, and people with funny
hats, have once again been victorious against the evil evildoers of evil.
But despite this, the security hole got patched and here you go.

George <jirka 5z com>
   As long as people will accept crap, 
   it will be financially profitable to dispense it.
                       -- Dick Cavett, in "Playboy", 1971

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]