Bug#1099697: initramfs-tools: please change default /dev/pts mode to 0600
Package: initramfs-tools
Version: 0.145
Severity: important
Hi,
in the past there were security concerns (and security issues
raised) around other users writing to each others terminals. Some of
this was workarounded in util-linux, cf. CVE-2024-28085.
A fuller fix is to disallow writing unrelated users to each other's
terminals by default.
I understand it might be a bit late for this bug report to reach
you, but I /thought/ systemd mounts /dev/pts as part of its boot
process. systemd has (after taking some time) applied their part of
the fix, but it turns out systemd does -not- mount or remount
/dev/pts in Debian's default setup. Instead the mount flags from
initramfs-tools are used.
Theoretically we have TTYPERM in /etc/login.defs, but it appears
almost nothing cares about this value. Please find a patch attached
following the change from 0620 to 0600 for initramfs-tools.
Please apply this for trixie.
Again sorry for not sending this earlier, I didn't realise
initramfs-tools was involved.
Thanks,
Chris
>From 319cdc98f15d3213f58610141a84b5c67a8a1ebc Mon Sep 17 00:00:00 2001
From: Chris Hofstaedtler <zeha@debian.org>
Date: Thu, 6 Mar 2025 22:44:01 +0100
Subject: [PATCH] Tighten /dev/pts permissions
Apply a fuller fix for CVE-2024-28085 and remove g+w from
pseudo-terminals by default.
Signed-off-by: Chris Hofstaedtler <zeha@debian.org>
---
init | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/init b/init
index 5552c64..1bd9669 100755
--- a/init
+++ b/init
@@ -42,7 +42,7 @@ mount -t devtmpfs -o nosuid,mode=0755 udev /dev
[ ! -h /dev/stderr ] && ln -s /proc/self/fd/2 /dev/stderr
mkdir /dev/pts
-mount -t devpts -o noexec,nosuid,gid=5,mode=0620 devpts /dev/pts || true
+mount -t devpts -o noexec,nosuid,gid=5,mode=0600 devpts /dev/pts || true
# Export the dpkg architecture
export DPKG_ARCH=
--
2.47.2
Reply to: