Re: makedev: /dev/tty([0-9])* should not have 666 permissions
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
plhofmei@Oneill:~$ ls -l /dev/tty0
crw------- 1 root root 4, 0 Jul 19 2002 /dev/tty0
plhofmei@Oneill:~$ ls -l /dev/tty1
crw------- 1 root root 4, 1 Apr 18 21:03 /dev/tty1
plhofmei@Oneill:~$ ls -l /dev/tty2
crw------- 1 root root 4, 2 Apr 18 21:03 /dev/tty2
plhofmei@Oneill:~$ ls -l /dev/tty3
crw------- 1 root root 4, 3 Apr 18 21:03 /dev/tty3
plhofmei@Oneill:~$ ls -l /dev/tty4
crw------- 1 root root 4, 4 Apr 18 21:03 /dev/tty4
plhofmei@Oneill:~$ ls -l /dev/tty5
crw------- 1 root root 4, 5 Apr 18 21:03 /dev/tty5
plhofmei@Oneill:~$ ls -l /dev/tty6
crw------- 1 root root 4, 6 Apr 18 21:03 /dev/tty6
yes, the others are 666. Does it matter? Are they used or just
pointless character devices?
On Mon, 19 Apr 2004 at 05:07:13PM -0400, Jan Minar wrote:
> Package: makedev
> Version: 2.3.1-58
> Severity: important
> Tags: security
>
> Hi
>
> Please check the permissions of /dev/tty([0-9])*, they seem to be a
> free-for-all, which is no good.
>
> Thanks to Stephen Gran for telling me who to bug.
>
> The following patch would do, afaict:
>
> --- /sbin/MAKEDEV.ORIG Mon Apr 19 22:58:21 2004
> +++ /sbin/MAKEDEV Mon Apr 19 22:58:39 2004
> @@ -14,7 +14,7 @@
> private=" root root 0600"
> system=" root root 0660"
> kmem=" root kmem 0640"
> - tty=" root tty 0666"
> + tty=" root tty 0600"
> cons=" root tty 0600"
> vcs=" root root 0600"
> dialout=" root dialout 0660"
>
> This is the discussion on debian-security that lead to this bugreport:
>
>
> On Mon, Apr 19, 2004 at 04:15:41PM -0400, Stephen Gran wrote:
> > This one time, at band camp, Matt Zimmerman said:
> > > On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote:
> > > > % ssh kh
> > > > jan@kh's password:
> > > > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown
> > > > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63
> > > > % while :; do echo -e '\033[12;63]' > /dev/tty63; done
> > >
> > > The relevant permissions are more restrictive with udev:
> > >
> > > crw------- 1 root root 4, 63 2004-03-17 16:23 /dev/tty63
> >
> > And on a newly installed sid box:
> > crw------- 1 root tty 4, 63 2004-03-23 16:49 /dev/tty63
> >
> > No udev here. Previous installs may have had bad permissions, but
> > current ones do not. Perhaps, Jan, if you're interested, file a bug
> > against makedev or one fo the other associated packages, asking them to
> > check the permissions on these devices on upgrade, and correct if
> > necessary. Seems trivial enough to do. A patch would probably not
> > hurt.
>
> -- System Information
> Debian Release: 3.0
> Architecture: i386
> Kernel: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686
> Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2
>
> Versions of packages makedev depends on:
> ii base-passwd 3.4.1 Debian Base System Password/Group
- --
Phillip Hofmeister
PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAhEP5S3Jybf3L5MQRAtfuAJ40TFzSQFCNN0UmbyQtM2QM0mSrUACgjmY2
ssBFqnnpuHMCHOf3qbaKiU4=
=2O8y
-----END PGP SIGNATURE-----
Reply to: