Re: FTE editor
(I'm copying so much text because the original didn't make it to
debian-user)
Helge Hafting <helge.hafting@daldata.no> writes:
> In <[🔎] 87af41jwoh.fsf@cush.dyn.ml.org>, on 09/15/98
> at 10:08 AM, Daniel Martin <dtm12@jhunix.hcf.jhu.edu> said:
>
> >"Paul M. Foster" <paulf@quillandmouse.com> writes:
>
> [...]
> >> 2) Is there a liability to changing the permissions on these device files
> >> so that regular users have r/w access to them?
> >Well, how comfortable are you with the ability of anyone logged in (or
> >even with a process running) on your machine being able to grab the
> >contents of any of the virtual consoles? If you do this, then anyone
> >will be able to grab anything that appears on the screen. It's not as
> >bad as xhost +, since they won't be able to send keys to, say, your root
> >shell, but the ability to log everything may be a bit unnerving. Also,
> >there's major nuisance potential since they could make any virtual screen
> >display anything.
>
> I havent tested this yet, but consider the following:
> There is a file in /etc (sorry, don't remember which one)
> that can specify what groups a user will be added to when logging in on
> the console. One documented use for this is to grant membership to group
> "audio" so that anyone currently logged in on the console may use the
> audio device. Surely this trick could work with /dev/vcsa*, set the
> group to audio or create a new group for this purpose.
>
> Note that the audio trick isn't on by default, you must edit that file.
> (Do a "grep audio /etc/*" in order to find what file this is in.) The
> reason is that a hacker user is able to get permanent membership in the
> groups listed. Using this is still better than granting anybody access to
> /dev/vcsa as many users don't know the hack involved, and I believe they
> need to use the console in order to do it. No problem if the hacker never
> get near the console.
True; (the file is /etc/login.defs). However, I'd not call the way
one gets access to one of these groups permanently a "hack" - I'd call
it basic Unix knowledge. (I mean, if you know what it means to have a
program setgid and know how to make a program setgid, you've got it).
But yes, if the console is in a secure environment, then there's no
risk in doing this.
Reply to: