Re: /dev/tty[0-9]* should be chmod 0620, not 0660 -- or not? [Was: Bug#244751 acknowledged by developer (Bug#244751: fixed in makedev 2.3.1-67)]
Hi, I am wandering how others felt on this 244751 fix. I felt this will
cause hassles for all local admin but does not really provide any gains
in the aimed objective.
On Sat, Apr 24, 2004 at 04:48:30PM +0200, Jan Minar wrote:
> On Fri, Apr 23, 2004 at 04:03:06PM -0700, Debian Bug Tracking System wrote:
> > * change default permission on tty devices from 0666 to 0660, which makes
> > denial of service attacks on the console by local users harder,
> > closes: #244751
>
> 0660 probably is too much; 0620 would be probably more appropriate.
> Would any of your devel people have problems with /dev/tty[0-9]* being
> not group readable?
I do not quite understand above but this new change of /sbin/MAKEDEV
certainly caused me to change my entire system. Now I have to list all
real uses as group "tty" to be able to use gpg, mutt/url_view etc. So
many packages are affected. /dev/tty?? is one thing but putting
restrictive permission to /dev/tty has caused hassle for me.
> Now the only programs I have here which are sgid tty are these 2:
>
> -rwxr-sr-x 1 root tty 9736 Dec 24 2002 /usr/bin/wall
> -rwxr-sr-x 1 root tty 7540 Jul 4 2002 /usr/bin/write
In my system:
-rwxr-sr-x 1 root tty 7960 Apr 11 01:27 bsd-write
-rwxr-sr-x 1 root tty 9816 Dec 7 04:35 wall
> ..And I know of one other one: talkd. These wouldn't use read
> permissions, afaik.
I wonder if we all want to put sgid tty for all tty accessing program
such as gpg. (Alternatively adding everyone to tty group)
Also, I wonder how much we gained from this fix. As long as we have
sgid tty program such as wall, we can write to terminal doing some damage :)
I am talking issues solved by this fix:
With this bug present, any process in the system, that is, any user
logged in or for example able to write to a random file, can 'control'
an unused virtual terminal, because /dev/tty[0-9]* is world writable
for high, unused tty's.
With such sgid programs, anyone have decent access to these terminals.
Am I confused about situation?
If we want to limit the console access to /dev/tty, it looks to me that
we may need a bit careful arrangement.
Osamu
Reply to: