Bug 219048

Summary:	pty opened by XTerm is not owned by group `tty' and is world writable
Product:	[Fedora] Fedora	Reporter:	Kasper Dupont <bugzilla>
Component:	xterm	Assignee:	Miroslav Lichvar <mlichvar>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	5	CC:	notting, security-response-team
Target Milestone:	---	Keywords:	Reopened, Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:	impact=low,source=redhat,reported=20061219
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2007-01-09 17:08:04 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	220153

Description Kasper Dupont 2006-12-10 02:31:43 UTC

Description of problem:
mesg n does not actually prevent messages, and mesg y consistently produce an
error message.

Version-Release number of selected component (if applicable):
SysVinit-2.86-2.2.2

How reproducible:
Happens every time

Steps to Reproduce:
1. Open xterm
2. Type "mesg y"
  
Actual results:
mesg: error: tty device is not owned by group `tty'

Expected results:
No errors

Steps to Reproduce:
1. Open xterm
2. Type "mesg n"
3. ls -l $(tty)
  
Actual results:
crw-----w- 1 kasperd kasperd 136, 14 Dec  9 18:26 /dev/pts/14

Expected results:
No write permission for others

Additional info:
Even when messages are enabled, it is a bad idea to allow every user to write
the device directly. The write command makes it clear that a message was send,
and who did it. Direct writes can be used to fake tty output.

Comment 1 Bill Nottingham 2006-12-11 20:27:17 UTC

I can't reproduce this, although this is on FC6:

[notting@nostromo: ~]$ ls -l $(tty)
crw--w---- 1 notting tty 136, 2 Dec 11 15:23 /dev/pts/2
[notting@nostromo: ~]$ mesg n
[notting@nostromo: ~]$ ls -l $(tty)
crw------- 1 notting tty 136, 2 Dec 11 15:23 /dev/pts/2
[notting@nostromo: ~]$ mesg y
[notting@nostromo: ~]$ ls -l $(tty)
crw--w---- 1 notting tty 136, 2 Dec 11 15:23 /dev/pts/2

What sort of tty rules do you have in /etc/udev/rules.d?

Comment 2 Kasper Dupont 2006-12-12 04:44:18 UTC

I have just the /etc/udev/rules.d/50-udev.rules from udev-084-13.fc5.2

Comment 3 Harald Hoyer 2006-12-12 15:33:15 UTC

ownership and permissions of ptys are not set by udev, afaik

Comment 4 Bill Nottingham 2006-12-12 16:47:26 UTC

What's your line for /dev/pts in /etc/fstab?

Comment 5 Kasper Dupont 2006-12-13 06:19:44 UTC

[kasperd@localhost:pts/7:~] grep pts /etc/fstab
/dev/devpts             /dev/pts                devpts  gid=5,mode=620  0 0
[kasperd@localhost:pts/7:~]

Comment 6 Harald Hoyer 2006-12-13 10:45:01 UTC

/dev/pts is not managed by udev

Comment 7 Kasper Dupont 2006-12-14 04:55:12 UTC

I just noticed that I can only reproduce the problem in xterm. Konsole, script,
and screen are not affected by this.

Comment 8 Lubomir Kundrak 2006-12-19 10:50:53 UTC

mlichvar reported that only FC6, FC5 and RHEL5 are affected.
The problem is caused by obsolete patch for configure script that is no longer
needed.

Comment 9 Lubomir Kundrak 2007-01-09 11:55:02 UTC

Fixed in

xterm-223-1.fc5
xterm-223-1.fc6

Removing "Security sensitive" flag.

Comment 10 Fedora Update System 2007-01-09 16:54:04 UTC

xterm-223-1.fc5 has been pushed for fc5, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.