Bug 48919 - incorrect group and perms on /usr/bin/minicom
Summary: incorrect group and perms on /usr/bin/minicom
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: minicom   
(Show other bugs)
Version: 7.1
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Mike A. Harris
QA Contact: Brock Organ
Depends On:
TreeView+ depends on / blocked
Reported: 2001-07-12 15:32 UTC by Randy Zagar
Modified: 2007-04-18 16:34 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-07-12 15:32:56 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Randy Zagar 2001-07-12 15:32:52 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.75 [en] (X11; U; SunOS 5.8 sun4u)

Description of problem:
When executed by a non-privelidged user, the latest minicom cannot open a
lock file in /var/lock because it is not setgid uucp.  This can easily be
fixed with:

chgrp uucp /usr/bin/minicom
chmod g+s /usr/bin/minicom

How reproducible:
Didn't try

Additional info:
This should be fixed in the next release of that RPM.

Comment 1 Mike A. Harris 2001-07-12 17:42:50 UTC
This is very much not a bug.  The bug was minicom before *did* allow
non root users to use it.  minicom, as confirmed by the original 
author, and subsequent maintainers, and also collective securioty folk
all say that minicom was not ever designed with security in mind.  It was
not intended to be used by non-root users in secure systems.

The code contains many format string bugs, some of which are not fixable
without major redesign of significant portions of the code, and likely with
incompatible changes to the scripting language, especially in the do_log
function.  There are numerous other security vulnerabilities likely lurking
in the code also.  A recent audit and community discussion resulted in
widespread common agreement by all vendors involved, and various other
security folk that minicom should indeed not be executable by non root.

This may be unfortunate for those who need it or rely on it, but the
security problems are many and deep, and secuity trumps convenience in
default install situations I'm afraid.  For those who require the
functionality and cannot use other more secure software, as a workaround,
suid/sgid the binary, but in doing so, realize that you are running
exploitable software when doing so.

Note You need to log in before you can comment on or make changes to this bug.