Red Hat Bugzilla – Bug 2611
/dev/pts default permissions WRONG! Security risk
Last modified: 2008-05-01 11:37:50 EDT
/dev/pts is mounted "mode=0622". This is WRONG - it bypasses
the security on write. /dev/pts _should_ be mounted
"mode=0620,gid=5" (gid 5 is tty on the system)
The problem is worse though - xterm and nxterm work properly
with the above change, as do telnet logins. Unfortunately
screen and rxvt (maybe others) change the /dev/pts
permissions such that everyone has write acess and the
group is the user's group NOT tty.
Aside from this slip up I have been VERY impressed with
Re-reading my message I'm not sure I've been clear - drop me
a note if any clarification is needed. Sorry about the duff
package too but /etc/fstab isn't owned by any package
This has been assigned to a developer for further review.
I don;t really think this is a security problem - this is no change
from the previous ttyp* devices permissions. If somebody enables 'mesg
y' on their console they are open to a DOS. This will be probably be
handled more tightly in the future, but that will require engineering
in a lot of places to get it right.
For now, 'mesg n' takes care of all the problems. We will address this
issue in a next release, though. I am marking the bug as 'later' - we
will look back at it and fix it when we have a full understanding of
all the places we have to look at to take care of this problem
Sorry to be awkward but I must disagree with your comment "no changes
from the previous device permissions".
If I telnet to RH5.2 system I see
/dev/ttyp8 crw--w---- chris tty
On RH6.0 I see
/dev/pts/0 crw--w--w- chris chris
The difference is crucial; under RH6.0 a malicious user can send any
arbitrary character stream to a tty. Some terminals can be
reprogrammed so a given key can be made to map to a sequence of the
Under RH5.2 only the "write" program (and talkd) has sufficient
privilege to send text to tty's - and the "write" program filters out
malicious sequences AFAIK.
So RH6.0 represents a lowering in tty security :-) To fix this isn't
too bad; the line for the /dev/pts filesystem in fstab needs changing
as I originally suggest. Also, screen and rxvt need to be made to
desist from changing the pty permissions from 0620 to 0622.
As an aside note that console logins on RH6.0 get the tty1/tty?
permissions correct e.g.
/dev/tty1 crw--w---- chris tty
Hi, i've tested this agains't my redhat 6.0 box and the solution
pointed by chris works well against, xterm, telnet, nxterm,
gnome-terminal and kterm
rxvt needs a simple patch to honour the tty group, you could get the
(S)RPMS (unsigned) for ftp://ftp.lared.net.pe/pub/linux/carenas, or
you can build your own.. adding --enable-ttygid on the configure call
seems like screen is also affected, and kvt (from KDE) doesn't even
honour the new Unix98 pty
*** This bug has been marked as a duplicate of 3025 ***