Re: /dev/ttyS? dialin/dialout and modes.
According to Andreas Jellinghaus:
> On Apr 28, Miquel van Smoorenburg wrote
> > According to Andreas Jellinghaus:
> > > > Now I see that the bootfloppies have the /dev/ttySx devices owned by
> > > > root instead of uucp. I think this is a bug, but I don't know how
> > > > to file a bug report against the disks-i386 directory..
> > >
> > > i don't know why they should be owned by uucp ...
> >
> > Because uucp needs to access the dialout devices without being in
> > group dialout.
>
> why ? do you think it's insecure to put uucp in group dialout ?
> or do you think it's insecure to have uucico sgid uucp ?
No, you can't put uucp in the group dialout. I know what you mean; just
add uucp to the dialout group in /etc/group, right? But that only
works on login, because /bin/login calls initgroups() and youhave to
be root to do that.
> it's yust : uucp is a very important package, and debian support it, but
> it's definitiv not the only package. with the same argumentation we
> could change all tty* and cu* devices to user "ifmail", because ifmail
> (fido programm doing uucp, mail & news) is also important, and same
> discussion for and against uucp can be used with an s/uu/if/g.
True. As I said your arguments are convincing and I am still trying
to get mine together :)
> > But that's the point. uucico -shouldn't- be setgid because it wasn't
> > designed to be setgid. It should also be in group uucp, so that
> > other programs can call it that are setgid uucp.
>
> ok. put user uucp in group dialout. that's a good security policy imo.
That's impossible as I explained above.
> > > and uucico is also suid uucp, so any program can call it (it doesn't
> > > need to be also sgid uucp).
> >
> > No, but other setgid uucp programs should be able to call uucico.
>
> hmmm ? mabye i don't understand permissions : why is a sgid uucp
> progra, not be able to call uucico ? i can do that, and i'm yust a user
> (ok, in group dialout etc...)
Because the permissions are wrong at the moment. I want uucico to be
in group uucp, and not executable for "others".
> > In the mean time, I've filed bug reports against all getty packages
> > to set the modes to uucp:dialout/0660. While that isn't perfect
> > if you are right and root:dialout would be better, it is the first
> > step in the right direction.
>
> and what is wrong with user uucp being in group dialout ?
See above
Mike.
--
| Miquel van | "I need more space" "Well, why not move to Texas" |
| miquels@cistron.nl | "No, on my account, stupid." "Stupid? Uh-oh.." |
| PGP fingerprint: FE 66 52 4F CD 59 A5 36 7F 39 8B 20 F1 D6 74 02 |
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: