Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 48919

Summary: incorrect group and perms on /usr/bin/minicom
Product: [Retired] Red Hat Linux Reporter: Randy Zagar <jrzagar>
Component: minicomAssignee: Mike A. Harris <mharris>
Status: CLOSED NOTABUG QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-07-12 15:32:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Randy Zagar 2001-07-12 15:32:52 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.75 [en] (X11; U; SunOS 5.8 sun4u)

Description of problem:
When executed by a non-privelidged user, the latest minicom cannot open a
lock file in /var/lock because it is not setgid uucp.  This can easily be
fixed with:

chgrp uucp /usr/bin/minicom
chmod g+s /usr/bin/minicom

How reproducible:
Didn't try


Additional info:
This should be fixed in the next release of that RPM.
Comment 1 Mike A. Harris 2001-07-12 17:42:50 UTC 
This is very much not a bug.  The bug was minicom before *did* allow
non root users to use it.  minicom, as confirmed by the original 
author, and subsequent maintainers, and also collective securioty folk
all say that minicom was not ever designed with security in mind.  It was
not intended to be used by non-root users in secure systems.

The code contains many format string bugs, some of which are not fixable
without major redesign of significant portions of the code, and likely with
incompatible changes to the scripting language, especially in the do_log
function.  There are numerous other security vulnerabilities likely lurking
in the code also.  A recent audit and community discussion resulted in
widespread common agreement by all vendors involved, and various other
security folk that minicom should indeed not be executable by non root.

This may be unfortunate for those who need it or rely on it, but the
security problems are many and deep, and secuity trumps convenience in
default install situations I'm afraid.  For those who require the
functionality and cannot use other more secure software, as a workaround,
suid/sgid the binary, but in doing so, realize that you are running
exploitable software when doing so.