[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: making Debian secure by default

On 2024-03-28, Marc SCHAEFER wrote:

>> Apparently the root of the security issue is that wall is a setguid program?
>
> a) wall must be able to write to your tty, which is not possible
>    if wall is not installed setguid OR if people have sane permissions
>    on their terminals (e.g. set to mesg n)

Found in /etc/login.defs :

#
# Terminal permissions
#
#   TTYGROUP    Login tty will be assigned this group ownership.
#   TTYPERM     Login tty will be set to this permission.
#
# If you have a "write" program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP to the group number and
# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
# TTYPERM to either 622 or 600.
#
# In Debian /usr/bin/bsd-write or similar programs are setgid tty
# However, the default and recommended value for TTYPERM is still 0600
# to not allow anyone to write to anyone else console or terminal

# Users can still allow other people to write them by issuing 
# the "mesg y" command.

TTYGROUP    tty
TTYPERM     0600

My tty is set to 0600 and even with "mesg y" only root can send a message
with wall. Am I missing something ?
Reply to: