|Summary:||minicom is set GID uucp; security hole|
|Product:||[Retired] Red Hat Linux||Reporter:||che|
|Component:||minicom||Assignee:||Mike Maher <mike>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|:||770956 (view as bug list)||Environment:|
|Last Closed:||1999-01-26 18:42:55 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description che 1998-11-17 03:29:52 UTC
As the summary says, minicom is shipped set-GID uucp in Red Hat up to 5.1 (I don't know about 5.2, I don't know anyone who has that installed.) This means that any user on a Red Hat box can dial-out via the modem without any special permissions. If Joe Schmoe has an account on my box and wishes to dial up Transylvania for 14 hours a day, he can do so completely without my knowing it. Also, any user can interrupt a serial transfer because of this security flaw. This is wrong: Debian GNU/Linux ships minicom mode 0755, as it should be, and requires that the users themselves be in the dip (dialout) group if they wish to have access to the serial ports. Please issue errate for all previous versions of Red Hat with a fixed minicom package that is properly mode 0755. Ben Gertzfield, Debian GNU/Linux developer
Comment 1 Derek Tattersall 1998-11-19 14:52:59 UTC
/usr/bin/minicom is set GID uucp in 5.2 also.
Comment 2 Mike Maher 1999-01-26 18:42:59 UTC
Set group ID to root, mode 0755. If used wish to use minicom to dial out they can must add the user id to minicom.