Re: /dev/tty[0-9]* should be chmod 0620, not 0660 -- or not?

To: Jan Minar <jjminar@fastmail.fm>
Cc: 244751@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: /dev/tty[0-9]* should be chmod 0620, not 0660 -- or not?
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: Tue, 27 Apr 2004 00:58:50 +0200
Message-id: <[🔎] 8765bm1h3p.fsf@mrvn.homelinux.org>
In-reply-to: <[🔎] 20040426220759.GB19242@aokiconsulting.com> (Osamu Aoki's message of "Tue, 27 Apr 2004 00:07:59 +0200")
References: <E1BH9Rn-0007mP-00@newraff.debian.org> <20040419210713.GA15031@kontryhel.haltyr.dyndns.org> <handler.244751.D244751.108276078725736.notifdone@bugs.debian.org> <[🔎] 20040424144830.GA11867@kontryhel.haltyr.dyndns.org> <[🔎] 20040426220759.GB19242@aokiconsulting.com>

Osamu Aoki <osamu@debian.org> writes:

> I am talking issues solved by this fix:
>  With this bug present, any process in the system, that is, any user
>  logged in or for example able to write to a random file, can 'control'
>  an unused virtual terminal, because  /dev/tty[0-9]* is world writable
>  for high, unused tty's.
>
> With such sgid programs, anyone have decent access to these terminals.
>
> Am I confused about situation?
>
> If we want to limit the console access to /dev/tty, it looks to me that
> we may need a bit careful arrangement.
>
> Osamu

You can start your own login prompt on an unused tty and record users
passwords. I think this is a very real secruity risk. The sgid tty
programs are hopefully bugfree so they can't be used to start a fake
login programm on a tty or similar.

With devfs /dev/tty is

crw-rw-rw-    1 root     root       5,   0 Apr 27 00:15 /dev/tty

so ssh, gpg, su, ... all work as expected. But /dev/vc/* (/dev/tty??)
is:

crw-------    1 root     root       4,   0 Jan  1  1970 0
crw-------    1 mrvn     tty        4,   1 Apr 27 00:43 1
crw-------    1 root     root       4,  10 Jan  1  1970 10
crw-------    1 root     root       4,  11 Jan  1  1970 11
crw-------    1 mrvn     mrvn       4,   7 Jan  1  1970 7

Running "mesg y" on the console gives:

crw--w----    1 mrvn     tty        4,   1 Apr 27 00:55 1

I haven't seen any software fail because of this.

MfG
        Goswin

Reply to:

References:
- /dev/tty[0-9]* should be chmod 0620, not 0660 -- or not? [Was: Bug#244751 acknowledged by developer (Bug#244751: fixed in makedev 2.3.1-67)]
  - From: Jan Minar <jjminar@fastmail.fm>
- Re: /dev/tty[0-9]* should be chmod 0620, not 0660 -- or not? [Was: Bug#244751 acknowledged by developer (Bug#244751: fixed in makedev 2.3.1-67)]
  - From: Osamu Aoki <osamu@debian.org>

Prev by Date: Re: Social Contract GR's Affect on sarge
Next by Date: Re: "Social Contract GR's Affect on sarge" or "Debian commits suicide"
Previous by thread: Re: /dev/tty[0-9]* should be chmod 0620, not 0660 -- or not? [Was: Bug#244751 acknowledged by developer (Bug#244751: fixed in makedev 2.3.1-67)]
Next by thread: Re: /dev/tty[0-9]* should be chmod 0620, not 0660 -- or not? [Was: Bug#244751 acknowledged by developer (Bug#244751: fixed in makedev 2.3.1-67)]
Index(es):
- Date
- Thread