Re: Those who fail to learn history are doomed to repeat it
Good question.
Given that this flaw is not specific to Linux, and assuming that X.org on Linux and on OpenBSD is exactly the same (same source code), there must be some kind of common understanding between *nix's on this point.
Arguably, if my assumption is correct, this problem shows that that agreement that was reached between *nix's is misguided, and could probably do with some rethinking.
Presumably what's happened is that some additional functionality was added to X.org's command line processing, and the X.org team never considered that what they were adding mattered. After all, they're not the ones putting distributions together, and no one can expect them to keep a close eye on the myriad different installations of their software to see if anyone does something as crazy as giving it setuid root. Rather, it's the distro maintainers who have, not surprisingly perhaps, not been paying attention.
Which highlights the point that whilst a Linux installation or OpenBSD might be bang up to date with the latest and most secure versions of everything (kernel, userland), that can all be blown away by devolving responsibility for how all that is assembled into a distro to a bunch of people who clearly aren't doing their users every possible favour.
Arguably this situation, due to a lack of clear communication and cross-team working, is more likely to arise in projects formed from disparate teams with no starkly underlined mutual interest in self preservation, and less likely in a project from a single team whose employment depends in part on not getting stuff like this wrong. There's no one in the open source world who can sit above all the projects and command them to coordinate properly. So they don't always do that.
Personally speaking I'd no idea that X.org was sometimes configured with the setuid bit set. For something as massive as X.org to have that sounds terrifyingly dangerous! Never mind this trivial escalation through its command line interface, what about other flaws in its implementation. There's a whole ton of code there within which a few nasty surprises could be lurking.
Biting the hand that feeds IT
