[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /dev/ttyS? dialin/dialout and modes.

On Apr 28, Miquel van Smoorenburg wrote
> According to Andreas Jellinghaus:
> > > Now I see that the bootfloppies have the /dev/ttySx devices owned by
> > > root instead of uucp. I think this is a bug, but I don't know how
> > > to file a bug report against the disks-i386 directory..
> > 
> > i don't know why they should be owned by uucp ...
> Because uucp needs to access the dialout devices without being in
> group dialout.

why ? do you think it's insecure to put uucp in group dialout ?
or do you think it's insecure to have uucico sgid uucp ?

it's yust : uucp is a very important package, and debian support it, but
it's definitiv not the only package. with the same argumentation we
could change all tty* and cu* devices to user "ifmail", because ifmail
(fido programm doing uucp, mail & news) is also important, and same
discussion for and against uucp can be used with an s/uu/if/g.

> > > Note that UUCP still is an important subsystem, and that currently some
> > > parts of it (uucico) are setgid dialout, and so other programs have to
> > > be setuid uucp to call uucico etc. 
> > 
> > ??? uucico is sgid dialout, so it can access /dev/tty*. no need to
> > change owner to uucp...
> But that's the point. uucico -shouldn't- be setgid because it wasn't
> designed to be setgid. It should also be in group uucp, so that
> other programs can call it that are setgid uucp.

ok. put user uucp in group dialout. that's a good security policy imo.
changing all devices because of one program, is unfair to other programs
like ifmail. ok, uucp is the most important programs, but why favour
uucp above ifmail ?

> > and uucico is also suid uucp, so any program can call it (it doesn't
> > need to be also sgid uucp).
> No, but other setgid uucp programs should be able to call uucico.

hmmm ? mabye i don't understand permissions : why is a sgid uucp
progra, not be able to call uucico ? i can do that, and i'm yust a user
(ok, in group dialout etc...)

> In the mean time, I've filed bug reports against all getty packages
> to set the modes to uucp:dialout/0660. While that isn't perfect
> if you are right and root:dialout would be better, it is the first
> step in the right direction.

and what is wrong with user uucp being in group dialout ?
that will also solve the problem, and is (imo) a fine soultion.
devices could still be root.dialout, and uucico doesn't need to be sgid

maybe i'm crnaky, but i don't like this solution, yust because the other
soluions are not the normal way, maybe not secure (i can't see why),
"better". or i'm yust so curios about this, so i ask till i get a
satifying reason...

regards, andreas

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: