| Goswin von Brederlow 2004-04-26, 7:37 pm |
| Osamu Aoki <osamu@debian.org> writes:
> I am talking issues solved by this fix:
> With this bug present, any process in the system, that is, any user
> logged in or for example able to write to a random file, can 'control'
> an unused virtual terminal, because /dev/tty[0-9]* is world writable
> for high, unused tty's.
>
> With such sgid programs, anyone have decent access to these terminals.
>
> Am I confused about situation?
>
> If we want to limit the console access to /dev/tty, it looks to me that
> we may need a bit careful arrangement.
>
> Osamu
You can start your own login prompt on an unused tty and record users
passwords. I think this is a very real secruity risk. The sgid tty
programs are hopefully bugfree so they can't be used to start a fake
login programm on a tty or similar.
With devfs /dev/tty is
crw-rw-rw- 1 root root 5, 0 Apr 27 00:15 /dev/tty
so ssh, gpg, su, ... all work as expected. But /dev/vc/* (/dev/tty??)
is:
crw------- 1 root root 4, 0 Jan 1 1970 0
crw------- 1 mrvn tty 4, 1 Apr 27 00:43 1
crw------- 1 root root 4, 10 Jan 1 1970 10
crw------- 1 root root 4, 11 Jan 1 1970 11
crw------- 1 mrvn mrvn 4, 7 Jan 1 1970 7
Running "mesg y" on the console gives:
crw--w---- 1 mrvn tty 4, 1 Apr 27 00:55 1
I haven't seen any software fail because of this.
MfG
Goswin
--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|