Bug 203839 - console perms
Summary: console perms
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: jfbterm
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Mamoru TASAKA
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-08-23 22:18 UTC by Paul F. Johnson
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-09-16 15:07:29 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Paul F. Johnson 2006-08-23 22:18:51 UTC 
Description of problem:

Could you please review your spec file in light of the thread on the
fedora-security list?

https://www.redhat.com/archives/fedora-security-list/2006-August/msg00036.html

It seems that the console perms bit should be removed.
Comment 1 Mamoru TASAKA 2006-08-24 01:48:34 UTC 
The binary (/usr/bin/jfbterm) really don't work without
* using sticky bit (like /usr/bin/kon in kon2 rpm) OR
* using console.perms method OR
* maybe using pam or consolehelper.
Without these, jfbterm fails with the error like
exec : /bin/bash can't open /dev/console

I don't know the whole mechanism of this package, however,
this binary (/usr/bin/jfbterm) needs device access for
/dev/console and /dev/tty0 .
When using console.perms method, the description in
60-jfbterm.perms is not redundant because
* the entry for /dev/console in 50-default.perms is only valid
  when logging in with GUI because /dev/console is managed by
  <xconsole>. The important purpose of jfbterm is to display
  multibyte characters on CUI , not when logging in with GUI
  (however, jfbterm seems to work with GUI). 
* Also, 50-default.perms don't have the entry for /dev/tty0.

The easiest way to deal with this is to set sticky bit on
jfbterm as 4755, however, without using it, the reasonable way
to use jfbterm is to use console.perms method.
IMO, using pam of consolehelper is nearly equal to use sticky
bit because jfbterm needs root authority without using console.perms
anyway.
Comment 2 Mamoru TASAKA 2006-08-24 01:52:38 UTC 
Oops.

I meant IMO, using pam OR consolehelper is nearly equal to using
sticky bit ....

By the way, some error may have happened. Paul, could you receive
the previous mail of my comment?
Comment 3 Paul F. Johnson 2006-08-24 14:03:37 UTC 
Yep, I've seen both of these postings via email.

Okay, would you mind desperately if I post this BZ ref onto the security 
mailing list? I'm not happy with the sticky 4755 and while I agree with what 
you've put (I can see the logic), I'd prefer the Fedora Security chaps to have 
a look.
Comment 4 Mamoru TASAKA 2006-08-24 14:30:20 UTC 
(In reply to comment #3)
> Okay, would you mind desperately if I post this BZ ref onto the security 
> mailing list? 

No problem. Today I began to subscribe to fedora-security list and
now I can add some comments to the thread written in your 
(first) bug report when needed if you post this BZ ref.
Comment 5 Mamoru TASAKA 2006-09-08 10:52:02 UTC 
Well, may I close this bug as NOTABUG for now?
Comment 6 Mamoru TASAKA 2006-09-16 15:07:29 UTC 
For now I close this bug as NOTABUG.
Note You need to log in before you can comment on or make changes to this bug.