Bug 14305

Summary: login chowns /dev/vcs?? and users can read others console
Product: [Retired] Red Hat Linux Reporter: Jarno Huuskonen <jarno.huuskonen>
Component: util-linuxAssignee: Erik Troan <ewt>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: abartlet
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-02-06 18:31:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jarno Huuskonen 2000-07-20 10:29:25 UTC 
This has already been on bugtrack #1176, but here it goes again:
login program incorrectly? chowns /dev/vcs?? to console user and if the
user opens the device and keeps it open he/she can keep on reading from it
and read others screen...

From linux kernel mailing list I found that the problem exists because
linux doesn't have revoke syscall that would close open filedescriptors.

This problem might be quite severe if linux machines are used in a lab
environment where the computers are shared.

Anyway... I created a small patch. This is only a temporary solution !
-Jarno

PS. This patch will break console programs that expect to read from
    /dev/vcs?? (screendump ?) Also maybe it should chgrp the devices to tty

--- util-linux-2.10f/login-utils/login.c~       Sat Oct 30 03:06:01 1999
+++ util-linux-2.10f/login-utils/login.c        Wed Jul 12 12:01:25 2000
@@ -964,10 +964,16 @@
     /* if tty is one of the VC's then change owner and mode of the 
        special /dev/vcs devices as well */
     if (consoletty(0)) {
+      /*
        chown(vcsn, pwd->pw_uid, (gr ? gr->gr_gid : pwd->pw_gid));
        chown(vcsan, pwd->pw_uid, (gr ? gr->gr_gid : pwd->pw_gid));
        chmod(vcsn, TTY_MODE);
        chmod(vcsan, TTY_MODE);
+      */
+      chown( vcsn, (uid_t)0, (gid_t)0 );
+      chown( vcsan, (uid_t)0, (gid_t)0 );
+      chmod(vcsn, (mode_t)0600);
+      chmod(vcsan, (mode_t)0600);
     }

     setgid(pwd->pw_gid);
Comment 1 Andrew Bartlett 2000-11-18 23:59:35 UTC 
While linux can no way to revoke access to the files, it should be possible to
just kill -9 the offending processes, ie any programs with these files open.

Could this be a solution?
Comment 2 Erik Troan 2001-04-17 16:11:10 UTC 
Fixed in util-linux-2.11a-2 in rawhide