Debian Developers - Bug#244751: /dev/tty[0-9]* should be chmod 0620, not 0660 -- or not? [Was: Bug#244751

This is Interesting: Free IT Magazines  
Home > Archive > Debian Developers > April 2004 > Bug#244751: /dev/tty[0-9]* should be chmod 0620, not 0660 -- or not? [Was: Bug#244751





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Bug#244751: /dev/tty[0-9]* should be chmod 0620, not 0660 -- or not? [Was: Bug#244751
Osamu Aoki

2004-04-26, 6:36 pm

Hi, I am wandering how others felt on this 244751 fix. I felt this will
cause hassles for all local admin but does not really provide any gains
in the aimed objective.

On Sat, Apr 24, 2004 at 04:48:30PM +0200, Jan Minar wrote:
> On Fri, Apr 23, 2004 at 04:03:06PM -0700, Debian Bug Tracking System wrote:
>
> 0660 probably is too much; 0620 would be probably more appropriate.
> Would any of your devel people have problems with /dev/tty[0-9]* being
> not group readable?

I do not quite understand above but this new change of /sbin/MAKEDEV
certainly caused me to change my entire system. Now I have to list all
real uses as group "tty" to be able to use gpg, mutt/url_view etc. So
many packages are affected. /dev/tty?? is one thing but putting
restrictive permission to /dev/tty has caused hassle for me.

> Now the only programs I have here which are sgid tty are these 2:
>
> -rwxr-sr-x 1 root tty 9736 Dec 24 2002 /usr/bin/wall
> -rwxr-sr-x 1 root tty 7540 Jul 4 2002 /usr/bin/write

In my system:
-rwxr-sr-x 1 root tty 7960 Apr 11 01:27 bsd-write
-rwxr-sr-x 1 root tty 9816 Dec 7 04:35 wall

> ..And I know of one other one: talkd. These wouldn't use read
> permissions, afaik.

I wonder if we all want to put sgid tty for all tty accessing program
such as gpg. (Alternatively adding everyone to tty group)

Also, I wonder how much we gained from this fix. As long as we have
sgid tty program such as wall, we can write to terminal doing some damage

I am talking issues solved by this fix:
With this bug present, any process in the system, that is, any user
logged in or for example able to write to a random file, can 'control'
an unused virtual terminal, because /dev/tty[0-9]* is world writable
for high, unused tty's.

With such sgid programs, anyone have decent access to these terminals.

Am I confused about situation?

If we want to limit the console access to /dev/tty, it looks to me that
we may need a bit careful arrangement.

Osamu



--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2009 webservertalk.com