Please CC any replies to <37204@bugs.debian.org>. ----- Forwarded message from branden ----- Date: Wed, 5 May 1999 14:13:02 -0400 To: submit@bugs.debian.org Subject: makedev,sysklogd: /dev/xconsole reveals privileged information to non-root users X-Mailer: Mutt 0.95.4i Package: makedev,sysklogd Version: 2.3.1-23,1.3-31 Severity: important I am submitting this bug to both packages because there are two facts that conflate to create a mild insecurity. 1) /dev/xconsole is world-readable 2) syslog sends messages to /dev/xconsole that are logged to files that are readable only by root Therefore, the existence of /dev/xconsole permits user access to information they would not otherwise have. Since I maintain xconsole (it's in xbase-clients, which I maintain), I'd like to discuss with you guys our options for closing up this information leak. Alternatively, to be consistent, we could change the permissions on the log files used by lots of other packages to permit unprivileged accounts access to this information, but I don't think that is a desirable solution. I do think the existing /dev/xconsole logging arrangement is useful for the root user, or someone who has system administration duties. I use xconsole for this purpose myself. But any old user could also use xconsole to find out about email traffic (yet they cannot read the sendmail logs or /var/spool/mqueue), ppp connection information (including a PAP password if someone has the appropriate option turned on), and so forth. This is not desirable. I can think of two solutions that seem reasonable to me: 1) Make /dev/xconsole mode 640, and give it a group ownership that corresponds to something appropriate and with an implication of privilege. The "wheel" group would be excellent, but we don't (I think) I have that. Whether we use an existing group or a new group created for this purpose does not matter to me, as long as it is appropriate to the task. Users with privileges could then be added to the group and would be able to read xconsole as they also have. 2) Change what syslog echoes to /dev/xconsole such that it only matches what goes to world-readable logfiles. I don't fully grasp the syntax of syslog.conf, but I'm not sure this is possible without a kludge. The alternative would be simply logging to /dev/xconsole only that which would go to /dev/console or /dev/tty0 anyway, but that to me seems to defeat some of the utility of xconsole. It is easier for the inexperienced system administrator to add users to a group than to tweak the syslog.conf file. I would very much like comments from you guys and from the list to which I CC'ed this mail. -- G. Branden Robinson | Convictions are more dangerous enemies Debian GNU/Linux | of truth than lies. branden@ecn.purdue.edu | -- Friedrich Nietzsche cartoon.ecn.purdue.edu/~branden/ | ----- End forwarded message ----- -- G. Branden Robinson | I've made up my mind. Don't try to Debian GNU/Linux | confuse me with the facts. branden@ecn.purdue.edu | -- Indiana Senator Earl Landgrebe cartoon.ecn.purdue.edu/~branden/ |
Attachment:
pgpP3iwMDqRPp.pgp
Description: PGP signature