Bug 2611
Summary: | /dev/pts default permissions WRONG! Security risk | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Chris Evans <chris> |
Component: | basesystem | Assignee: | Cristian Gafton <gafton> |
Status: | CLOSED DUPLICATE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.0 | CC: | aleksey, carenas, ewt |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 1999-06-15 22:09:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Chris Evans
1999-05-06 21:25:52 UTC
This has been assigned to a developer for further review. I don;t really think this is a security problem - this is no change from the previous ttyp* devices permissions. If somebody enables 'mesg y' on their console they are open to a DOS. This will be probably be handled more tightly in the future, but that will require engineering in a lot of places to get it right. For now, 'mesg n' takes care of all the problems. We will address this issue in a next release, though. I am marking the bug as 'later' - we will look back at it and fix it when we have a full understanding of all the places we have to look at to take care of this problem effectively. Hi Cristian, Sorry to be awkward but I must disagree with your comment "no changes from the previous device permissions". If I telnet to RH5.2 system I see /dev/ttyp8 crw--w---- chris tty On RH6.0 I see /dev/pts/0 crw--w--w- chris chris The difference is crucial; under RH6.0 a malicious user can send any arbitrary character stream to a tty. Some terminals can be reprogrammed so a given key can be made to map to a sequence of the attackers choice... Under RH5.2 only the "write" program (and talkd) has sufficient privilege to send text to tty's - and the "write" program filters out malicious sequences AFAIK. So RH6.0 represents a lowering in tty security :-) To fix this isn't too bad; the line for the /dev/pts filesystem in fstab needs changing as I originally suggest. Also, screen and rxvt need to be made to desist from changing the pty permissions from 0620 to 0622. As an aside note that console logins on RH6.0 get the tty1/tty? permissions correct e.g. /dev/tty1 crw--w---- chris tty Hi, i've tested this agains't my redhat 6.0 box and the solution pointed by chris works well against, xterm, telnet, nxterm, gnome-terminal and kterm rxvt needs a simple patch to honour the tty group, you could get the (S)RPMS (unsigned) for ftp://ftp.lared.net.pe/pub/linux/carenas, or you can build your own.. adding --enable-ttygid on the configure call on %Build, seems like screen is also affected, and kvt (from KDE) doesn't even honour the new Unix98 pty |