https://community.hpe.com/t5/operating-system-hp-ux/xterm-has-setuid-enabled/m-p/3590733#M827490 Hmm, looks like PHSS_30791 is related to this problem. I can reproduce the vulnerability with it, but with an older patchlevel it seems to be not vulnerable.<BR /><BR />Xterm needs setuid root only for marking the session to /etc/utmp. You can remove the setuid bit to avoid the vulnerability, but then commands that use utmp (like "w", "write" and "talk" for example) lose some functionality for xterm sessions. Wed, 27 Jul 2005 08:11:06 GMT Matti_Kurkela 2005-07-27T08:11:06Z https://community.hpe.com/t5/operating-system-hp-ux/xterm-has-setuid-enabled/m-p/3590732#M827489 If you have a user belonging only to the group users you still can execute, read and write to files not belonging to the users group if you launch xterm.<BR /><BR />Some details to help you:<BR />user u7514434 specifics:<BR />[/tmp] whoami <BR />u7514434<BR />[/tmp] id<BR />uid=7514434(u7514434) gid=20(users)<BR /><BR />Another user's specifics:<BR />[/tmp] whoami<BR />dmsys<BR />[/tmp] id<BR />uid=124(dmsys) gid=150(dmtool)<BR /><BR />I have a script with the following security settings:<BR />-rwxr-xr-- 1 dmsys dmtool 20 Jul 27 10:08 /tmp/test.sh<BR />So only dmsys can launch and change the script and only users of group dmtool can launch the script but not change it. This script only echoes "test" to the screen.<BR /><BR />Now I login as u7514434 and launch xterm like this:<BR />LOGNAME=dmsys /usr/bin/X11/xterm<BR /><BR />Then I do the following:<BR />[/tmp] whoami<BR />u7514434<BR />[/tmp] id<BR />uid=7514434(u7514434) gid=20(users) groups=150(dmtool)<BR />[/tmp] ./test.sh<BR />test<BR /><BR /><BR />Oeps, suddenly I belong to the group dmtool and can launch the script. I cannot change its contents.<BR /><BR />If however I use /usr/contrib/bin/X11/xterm instead of /usr/bin/X11/xterm then I'm not able to hack into the dmtool group.<BR /><BR />Other things to know:<BR />HP-UX B.11.11 U 9000/800<BR />[/tmp] ll /usr/bin/X11/xterm <BR />-r-sr-xr-x 1 root bin 663552 Apr 16 2004 /usr/bin/X11/xterm<BR />[/tmp] ll /usr/contrib/bin/X11/xterm<BR />-r-sr-xr-x 1 root bin 385024 Nov 14 2000 /usr/contrib/bin/X11/xterm<BR /><BR />For both version of xterm the setuid is active. Why is this?<BR /><BR />Thanks for any reply.<BR />Herman. Wed, 27 Jul 2005 03:38:02 GMT https://community.hpe.com/t5/operating-system-hp-ux/xterm-has-setuid-enabled/m-p/3590732#M827489 Herman Vanbrussel 2005-07-27T03:38:02Z https://community.hpe.com/t5/operating-system-hp-ux/xterm-has-setuid-enabled/m-p/3590733#M827490 Hmm, looks like PHSS_30791 is related to this problem. I can reproduce the vulnerability with it, but with an older patchlevel it seems to be not vulnerable.<BR /><BR />Xterm needs setuid root only for marking the session to /etc/utmp. You can remove the setuid bit to avoid the vulnerability, but then commands that use utmp (like "w", "write" and "talk" for example) lose some functionality for xterm sessions. Wed, 27 Jul 2005 08:11:06 GMT https://community.hpe.com/t5/operating-system-hp-ux/xterm-has-setuid-enabled/m-p/3590733#M827490 Matti_Kurkela 2005-07-27T08:11:06Z