Bug 14305 - login chowns /dev/vcs?? and users can read others console
Summary: login chowns /dev/vcs?? and users can read others console
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: util-linux   
(Show other bugs)
Version: 6.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Erik Troan
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-07-20 10:29 UTC by Jarno Huuskonen
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-02-06 18:31:48 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Jarno Huuskonen 2000-07-20 10:29:25 UTC
This has already been on bugtrack #1176, but here it goes again:
login program incorrectly? chowns /dev/vcs?? to console user and if the
user opens the device and keeps it open he/she can keep on reading from it
and read others screen...

From linux kernel mailing list I found that the problem exists because
linux doesn't have revoke syscall that would close open filedescriptors.

This problem might be quite severe if linux machines are used in a lab
environment where the computers are shared.

Anyway... I created a small patch. This is only a temporary solution !
-Jarno

PS. This patch will break console programs that expect to read from
    /dev/vcs?? (screendump ?) Also maybe it should chgrp the devices to tty

--- util-linux-2.10f/login-utils/login.c~       Sat Oct 30 03:06:01 1999
+++ util-linux-2.10f/login-utils/login.c        Wed Jul 12 12:01:25 2000
@@ -964,10 +964,16 @@
     /* if tty is one of the VC's then change owner and mode of the 
        special /dev/vcs devices as well */
     if (consoletty(0)) {
+      /*
        chown(vcsn, pwd->pw_uid, (gr ? gr->gr_gid : pwd->pw_gid));
        chown(vcsan, pwd->pw_uid, (gr ? gr->gr_gid : pwd->pw_gid));
        chmod(vcsn, TTY_MODE);
        chmod(vcsan, TTY_MODE);
+      */
+      chown( vcsn, (uid_t)0, (gid_t)0 );
+      chown( vcsan, (uid_t)0, (gid_t)0 );
+      chmod(vcsn, (mode_t)0600);
+      chmod(vcsan, (mode_t)0600);
     }

     setgid(pwd->pw_gid);

Comment 1 Andrew Bartlett 2000-11-18 23:59:35 UTC
While linux can no way to revoke access to the files, it should be possible to
just kill -9 the offending processes, ie any programs with these files open.

Could this be a solution?

Comment 2 Erik Troan 2001-04-17 16:11:10 UTC
Fixed in util-linux-2.11a-2 in rawhide


Note You need to log in before you can comment on or make changes to this bug.