Bug 203839 - console perms
Summary: console perms
Alias: None
Product: Fedora
Classification: Fedora
Component: jfbterm   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Mamoru TASAKA
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2006-08-23 22:18 UTC by Paul F. Johnson
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-09-16 15:07:29 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Paul F. Johnson 2006-08-23 22:18:51 UTC
Description of problem:

Could you please review your spec file in light of the thread on the
fedora-security list?


It seems that the console perms bit should be removed.

Comment 1 Mamoru TASAKA 2006-08-24 01:48:34 UTC
The binary (/usr/bin/jfbterm) really don't work without
* using sticky bit (like /usr/bin/kon in kon2 rpm) OR
* using console.perms method OR
* maybe using pam or consolehelper.
Without these, jfbterm fails with the error like
exec : /bin/bash can't open /dev/console

I don't know the whole mechanism of this package, however,
this binary (/usr/bin/jfbterm) needs device access for
/dev/console and /dev/tty0 .
When using console.perms method, the description in
60-jfbterm.perms is not redundant because
* the entry for /dev/console in 50-default.perms is only valid
  when logging in with GUI because /dev/console is managed by
  <xconsole>. The important purpose of jfbterm is to display
  multibyte characters on CUI , not when logging in with GUI
  (however, jfbterm seems to work with GUI). 
* Also, 50-default.perms don't have the entry for /dev/tty0.

The easiest way to deal with this is to set sticky bit on
jfbterm as 4755, however, without using it, the reasonable way
to use jfbterm is to use console.perms method.
IMO, using pam of consolehelper is nearly equal to use sticky
bit because jfbterm needs root authority without using console.perms

Comment 2 Mamoru TASAKA 2006-08-24 01:52:38 UTC

I meant IMO, using pam OR consolehelper is nearly equal to using
sticky bit ....

By the way, some error may have happened. Paul, could you receive
the previous mail of my comment?

Comment 3 Paul F. Johnson 2006-08-24 14:03:37 UTC
Yep, I've seen both of these postings via email.

Okay, would you mind desperately if I post this BZ ref onto the security 
mailing list? I'm not happy with the sticky 4755 and while I agree with what 
you've put (I can see the logic), I'd prefer the Fedora Security chaps to have 
a look.

Comment 4 Mamoru TASAKA 2006-08-24 14:30:20 UTC
(In reply to comment #3)
> Okay, would you mind desperately if I post this BZ ref onto the security 
> mailing list? 

No problem. Today I began to subscribe to fedora-security list and
now I can add some comments to the thread written in your 
(first) bug report when needed if you post this BZ ref.

Comment 5 Mamoru TASAKA 2006-09-08 10:52:02 UTC
Well, may I close this bug as NOTABUG for now?

Comment 6 Mamoru TASAKA 2006-09-16 15:07:29 UTC
For now I close this bug as NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.