Red Hat Bugzilla – Bug 48919
incorrect group and perms on /usr/bin/minicom
Last modified: 2007-04-18 12:34:41 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.75 [en] (X11; U; SunOS 5.8 sun4u)
Description of problem:
When executed by a non-privelidged user, the latest minicom cannot open a
lock file in /var/lock because it is not setgid uucp. This can easily be
chgrp uucp /usr/bin/minicom
chmod g+s /usr/bin/minicom
This should be fixed in the next release of that RPM.
This is very much not a bug. The bug was minicom before *did* allow
non root users to use it. minicom, as confirmed by the original
author, and subsequent maintainers, and also collective securioty folk
all say that minicom was not ever designed with security in mind. It was
not intended to be used by non-root users in secure systems.
The code contains many format string bugs, some of which are not fixable
without major redesign of significant portions of the code, and likely with
incompatible changes to the scripting language, especially in the do_log
function. There are numerous other security vulnerabilities likely lurking
in the code also. A recent audit and community discussion resulted in
widespread common agreement by all vendors involved, and various other
security folk that minicom should indeed not be executable by non root.
This may be unfortunate for those who need it or rely on it, but the
security problems are many and deep, and secuity trumps convenience in
default install situations I'm afraid. For those who require the
functionality and cannot use other more secure software, as a workaround,
suid/sgid the binary, but in doing so, realize that you are running
exploitable software when doing so.