Bug 48919 - incorrect group and perms on /usr/bin/minicom
incorrect group and perms on /usr/bin/minicom
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: minicom (Show other bugs)
7.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Mike A. Harris
Brock Organ
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-07-12 11:32 EDT by Randy Zagar
Modified: 2007-04-18 12:34 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-07-12 11:32:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Randy Zagar 2001-07-12 11:32:52 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.75 [en] (X11; U; SunOS 5.8 sun4u)

Description of problem:
When executed by a non-privelidged user, the latest minicom cannot open a
lock file in /var/lock because it is not setgid uucp.  This can easily be
fixed with:

chgrp uucp /usr/bin/minicom
chmod g+s /usr/bin/minicom

How reproducible:
Didn't try


Additional info:
This should be fixed in the next release of that RPM.
Comment 1 Mike A. Harris 2001-07-12 13:42:50 EDT
This is very much not a bug.  The bug was minicom before *did* allow
non root users to use it.  minicom, as confirmed by the original 
author, and subsequent maintainers, and also collective securioty folk
all say that minicom was not ever designed with security in mind.  It was
not intended to be used by non-root users in secure systems.

The code contains many format string bugs, some of which are not fixable
without major redesign of significant portions of the code, and likely with
incompatible changes to the scripting language, especially in the do_log
function.  There are numerous other security vulnerabilities likely lurking
in the code also.  A recent audit and community discussion resulted in
widespread common agreement by all vendors involved, and various other
security folk that minicom should indeed not be executable by non root.

This may be unfortunate for those who need it or rely on it, but the
security problems are many and deep, and secuity trumps convenience in
default install situations I'm afraid.  For those who require the
functionality and cannot use other more secure software, as a workaround,
suid/sgid the binary, but in doing so, realize that you are running
exploitable software when doing so.

Note You need to log in before you can comment on or make changes to this bug.