Package: makedev Version: 2.3.1-58 Severity: important Tags: security Hi Please check the permissions of /dev/tty([0-9])*, they seem to be a free-for-all, which is no good. Thanks to Stephen Gran for telling me who to bug. The following patch would do, afaict: --- /sbin/MAKEDEV.ORIG Mon Apr 19 22:58:21 2004 +++ /sbin/MAKEDEV Mon Apr 19 22:58:39 2004 @@ -14,7 +14,7 @@ private=" root root 0600" system=" root root 0660" kmem=" root kmem 0640" - tty=" root tty 0666" + tty=" root tty 0600" cons=" root tty 0600" vcs=" root root 0600" dialout=" root dialout 0660" This is the discussion on debian-security that lead to this bugreport: On Mon, Apr 19, 2004 at 04:15:41PM -0400, Stephen Gran wrote: > This one time, at band camp, Matt Zimmerman said: > > On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: > > > % ssh kh > > > jan@kh's password: > > > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown > > > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63 > > > % while :; do echo -e '\033[12;63]' > /dev/tty63; done > > > > The relevant permissions are more restrictive with udev: > > > > crw------- 1 root root 4, 63 2004-03-17 16:23 /dev/tty63 > > And on a newly installed sid box: > crw------- 1 root tty 4, 63 2004-03-23 16:49 /dev/tty63 > > No udev here. Previous installs may have had bad permissions, but > current ones do not. Perhaps, Jan, if you're interested, file a bug > against makedev or one fo the other associated packages, asking them to > check the permissions on these devices on upgrade, and correct if > necessary. Seems trivial enough to do. A patch would probably not > hurt. -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 Versions of packages makedev depends on: ii base-passwd 3.4.1 Debian Base System Password/Group
Attachment:
pgpMJZKZO9EsE.pgp
Description: PGP signature