[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /dev/ttyS? dialin/dialout and modes.

According to Andreas Jellinghaus:
> On Apr 28, Miquel van Smoorenburg wrote
> > According to Andreas Jellinghaus:
> > > > Now I see that the bootfloppies have the /dev/ttySx devices owned by
> > > > root instead of uucp. I think this is a bug, but I don't know how
> > > > to file a bug report against the disks-i386 directory..
> > > 
> > > i don't know why they should be owned by uucp ...
> > 
> > Because uucp needs to access the dialout devices without being in
> > group dialout.
> 
> why ? do you think it's insecure to put uucp in group dialout ?
> or do you think it's insecure to have uucico sgid uucp ?

No, you can't put uucp in the group dialout. I know what you mean; just
add uucp to the dialout group in /etc/group, right? But that only
works on login, because /bin/login calls initgroups() and youhave to
be root to do that.

> it's yust : uucp is a very important package, and debian support it, but
> it's definitiv not the only package. with the same argumentation we
> could change all tty* and cu* devices to user "ifmail", because ifmail
> (fido programm doing uucp, mail & news) is also important, and same
> discussion for and against uucp can be used with an s/uu/if/g.

True. As I said your arguments are convincing and I am still trying
to get mine together :)

> > But that's the point. uucico -shouldn't- be setgid because it wasn't
> > designed to be setgid. It should also be in group uucp, so that
> > other programs can call it that are setgid uucp.
> 
> ok. put user uucp in group dialout. that's a good security policy imo.

That's impossible as I explained above.

> > > and uucico is also suid uucp, so any program can call it (it doesn't
> > > need to be also sgid uucp).
> > 
> > No, but other setgid uucp programs should be able to call uucico.
> 
> hmmm ? mabye i don't understand permissions : why is a sgid uucp
> progra, not be able to call uucico ? i can do that, and i'm yust a user
> (ok, in group dialout etc...)

Because the permissions are wrong at the moment. I want uucico to be
in group uucp, and not executable for "others".

> > In the mean time, I've filed bug reports against all getty packages
> > to set the modes to uucp:dialout/0660. While that isn't perfect
> > if you are right and root:dialout would be better, it is the first
> > step in the right direction.
> 
> and what is wrong with user uucp being in group dialout ?

See above

Mike.
-- 
|    Miquel van      |  "I need more space" "Well, why not move to Texas" |
| miquels@cistron.nl |  "No, on my account, stupid." "Stupid? Uh-oh.."    |
|   PGP fingerprint: FE 66 52 4F CD 59 A5 36  7F 39 8B 20 F1 D6 74 02     |


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .
Reply to: