Projects / Gnome Xsu / Comments

Comments for Gnome Xsu

02 Sep 2002 15:20 freaxje

Gnome2 0.2.5

The Gnome2 branch will be the default branch in freshmeat
from now on (I assume that very soon most people will run
a gnome2 desktop anyway)

The 0.2.5 release fixes a few issue's like the button which are
now switched (to comply with The Gnome Hig) and the -e
option which is now fixed.

Future releases will include the fact that I will reewrite the
argument parsing with getopt/opt as this is one of the gnome2
incompatible stuf in xsu's sources. I will also try to get rid of
the zvt widget dependacy and create my own tty on a
filedescriptor to get the password in su's getpass() function.
This technique is also used by the loki-setup tool (the latest
version uses parts of gnome xsu to gain it's rootaccess) to
reduce dependancies (so filesize).

Feel free to help me if you are intrested. Also documentation
and automake fixes are appreciated. I have not setup a
mailinglist for gnome xsu so you can checkout the AUTHORS
file in the tarball to get my contact info.

29 Aug 2002 06:47 freaxje

Current CVS
In current CVS (module xsu2) the OK and Cancel buttons are switched to comply with the Gnome Hig standards. Thanks to Sean Middleditch for informing me about this problem.
This switching of buttons will be available in next release also of course.

28 Aug 2002 18:56 freaxje

The 0.2.4 version are actually two versions :

The Gnome 2.0 port and the Gnome 1.x version.
The Gnome 1.x version will be the latest release, All other
Gnome 1.x releases wil be bugfixes for 0.2.4. Future
development will be on the Gnome 2.x version of Gnome
Xsu which is called xsu2-0.2.4

22 Mar 2002 12:37 freaxje


The Ok and Cancel button are fixed to support multiple languages. This bug was reported by Robert Millan
Added the -- argument which stops argumentparsing. This new argument is in experimental stage. This suggestion was made by Jeff Licquia

Max length of the textboxes is now unlimited

22 Nov 2001 10:30 freaxje

So ..

This version fixes the PATH problem.

21 Nov 2001 03:22 freaxje

Re: Next version

Oh, I don't want to steal credits. It was Havoc P. who noticed me about these issues.

21 Nov 2001 03:20 freaxje

Next version

Okay, I admit.. there is a minor known security issue :

In version 0.2.1 I am using execlp() which will export the PATH of the user who is running Gnome Xsu. If this user has the current directory in his PATH, then an intruder could use this directory to put a fake 'su' command in it. This issue has been fixed in the current CVS tree and will be released next version (0.2.2).

There is also an issue about using the ZvtTerm widget for passing the password to the Unix 'su' command. I don't know yet how to fix this. Basicly, to fix this prossible issue, I will have to replace all ZvtTerm code with another method for passing the data to the Unix 'su' getpass() function.

I am, however, not sure how importand this issue is. I mean .. it's only the user who is "running" Gnome Xsu who can exploit Gnome Xsu. I don't really see the point of that.. oh well, maybe for systems where more then one person are using one username. (Which is stupid of course).

08 Nov 2001 02:43 freaxje

As promised, the following changes have been included with the 0.2.1 release :

Major Changes :
Gnome Xsu nolonger uses the system() call to execute the su command. It will use the execlp() call. This does not call "/bin/sh" before running the "su" command. The advantage of this is that it's more easy to get the text which sends "su" to the terminal. This text (in case of error) will be displayed in a gnome dialog box. So if the password was incorrect, Gnome Xsu will display it in a gnome dialog box.
Minor Security fixes:
Because the "xsu" programs remains in memory until su ends, also the strings which you typed in the textboxes remain in the memory. In this release, the password textbox is cleared once the password has been send to the faked terminal where su is launched.
Minor options added :
* The --change-display "hostname:port" option allows you to set the DISPLAY environment variable at the command line. If no hostname is set, it will use ":0" as default (localhost).

* The configure script options --debug, --su-pwd-out and --max-su-delay. Read about these options in the documentation before using them.

Minor fixes :
* The manpages have been fixed
* The configure script has been fixed (--prefix, --man-base, --doc-path)
* Some general fixes

07 Nov 2001 05:30 freaxje

Next version

I am currently working on the 0.2.1 version which will already have the following changes :

* Some documentation fixes (suidxsu removals, etc)
* Some configure script fixes (suidxsu removals)
* manpage fixes (suidxsu removals)
* -a/--set-display option added. This will set your DISPLAY environment variable before starting the command.
* Minor security fix : clear the password textbox once we don't need it anymore.

If you have other suggestions, E-Mail them to me a.s.a.p.

Oh, and I recived a confirmation from their maintainer that Gnome Xsu will probably included with Mandrake Cooker soon.

05 Nov 2001 08:21 freaxje


Version 0.2.0 does not use it's own suidxsu program anymore. In stead it uses the standard su command and fakes a terminal to send the password to it.

I guess that fixes all security issues.


Project Spotlight


An open, cross-platform journaling program.


Project Spotlight


A scientific plotting package.