Bug 14305 - login chowns /dev/vcs?? and users can read others console
login chowns /dev/vcs?? and users can read others console
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: util-linux (Show other bugs)
6.2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Erik Troan
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-07-20 06:29 EDT by Jarno Huuskonen
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-02-06 13:31:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jarno Huuskonen 2000-07-20 06:29:25 EDT
This has already been on bugtrack #1176, but here it goes again:
login program incorrectly? chowns /dev/vcs?? to console user and if the
user opens the device and keeps it open he/she can keep on reading from it
and read others screen...

From linux kernel mailing list I found that the problem exists because
linux doesn't have revoke syscall that would close open filedescriptors.

This problem might be quite severe if linux machines are used in a lab
environment where the computers are shared.

Anyway... I created a small patch. This is only a temporary solution !
-Jarno

PS. This patch will break console programs that expect to read from
    /dev/vcs?? (screendump ?) Also maybe it should chgrp the devices to tty

--- util-linux-2.10f/login-utils/login.c~       Sat Oct 30 03:06:01 1999
+++ util-linux-2.10f/login-utils/login.c        Wed Jul 12 12:01:25 2000
@@ -964,10 +964,16 @@
     /* if tty is one of the VC's then change owner and mode of the 
        special /dev/vcs devices as well */
     if (consoletty(0)) {
+      /*
        chown(vcsn, pwd->pw_uid, (gr ? gr->gr_gid : pwd->pw_gid));
        chown(vcsan, pwd->pw_uid, (gr ? gr->gr_gid : pwd->pw_gid));
        chmod(vcsn, TTY_MODE);
        chmod(vcsan, TTY_MODE);
+      */
+      chown( vcsn, (uid_t)0, (gid_t)0 );
+      chown( vcsan, (uid_t)0, (gid_t)0 );
+      chmod(vcsn, (mode_t)0600);
+      chmod(vcsan, (mode_t)0600);
     }

     setgid(pwd->pw_gid);
Comment 1 Andrew Bartlett 2000-11-18 18:59:35 EST
While linux can no way to revoke access to the files, it should be possible to
just kill -9 the offending processes, ie any programs with these files open.

Could this be a solution?
Comment 2 Erik Troan 2001-04-17 12:11:10 EDT
Fixed in util-linux-2.11a-2 in rawhide

Note You need to log in before you can comment on or make changes to this bug.