[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

makedev,sysklogd: /dev/xconsole reveals privileged information to non-root users



Please CC any replies to <37204@bugs.debian.org>.

----- Forwarded message from branden -----

Date: Wed, 5 May 1999 14:13:02 -0400
To: submit@bugs.debian.org
Subject: makedev,sysklogd: /dev/xconsole reveals privileged information to non-root users
X-Mailer: Mutt 0.95.4i

Package: makedev,sysklogd
Version: 2.3.1-23,1.3-31
Severity: important

I am submitting this bug to both packages because there are two facts that
conflate to create a mild insecurity.

1) /dev/xconsole is world-readable
2) syslog sends messages to /dev/xconsole that are logged to files that are
   readable only by root

Therefore, the existence of /dev/xconsole permits user access to
information they would not otherwise have.

Since I maintain xconsole (it's in xbase-clients, which I maintain), I'd
like to discuss with you guys our options for closing up this information
leak.  Alternatively, to be consistent, we could change the permissions on
the log files used by lots of other packages to permit unprivileged
accounts access to this information, but I don't think that is a desirable
solution.

I do think the existing /dev/xconsole logging arrangement is useful for the
root user, or someone who has system administration duties.  I use xconsole
for this purpose myself.  But any old user could also use xconsole to find
out about email traffic (yet they cannot read the sendmail logs or
/var/spool/mqueue), ppp connection information (including a PAP password if
someone has the appropriate option turned on), and so forth.  This is not
desirable.

I can think of two solutions that seem reasonable to me:

1) Make /dev/xconsole mode 640, and give it a group ownership that
corresponds to something appropriate and with an implication of privilege.
The "wheel" group would be excellent, but we don't (I think) I have that.
Whether we use an existing group or a new group created for this purpose
does not matter to me, as long as it is appropriate to the task.  Users
with privileges could then be added to the group and would be able to read
xconsole as they also have.

2) Change what syslog echoes to /dev/xconsole such that it only matches
what goes to world-readable logfiles.  I don't fully grasp the syntax of
syslog.conf, but I'm not sure this is possible without a kludge.  The
alternative would be simply logging to /dev/xconsole only that which would
go to /dev/console or /dev/tty0 anyway, but that to me seems to defeat some
of the utility of xconsole.  It is easier for the inexperienced system
administrator to add users to a group than to tweak the syslog.conf file.

I would very much like comments from you guys and from the list to which I
CC'ed this mail.

-- 
G. Branden Robinson              |    Convictions are more dangerous enemies
Debian GNU/Linux                 |    of truth than lies.
branden@ecn.purdue.edu           |    -- Friedrich Nietzsche
cartoon.ecn.purdue.edu/~branden/ |



----- End forwarded message -----

-- 
G. Branden Robinson              |     I've made up my mind.  Don't try to
Debian GNU/Linux                 |     confuse me with the facts.
branden@ecn.purdue.edu           |     -- Indiana Senator Earl Landgrebe
cartoon.ecn.purdue.edu/~branden/ |

Attachment: pgpHMXpj4yc3o.pgp
Description: PGP signature


Reply to: