Tavis Ormandy reported that /dev/systty in Fedora has insecure permissions (0644 instead of 0600 or 0640). This could allow a remote user logged into the system to snoop on the terminal of any user logged in on tty0.
On Red Hat Enterprise Linux 5, /dev/systty is mode 0600, and on Red Hat Enterprise Linux 6, /dev/systty is a symlink to /dev/tty0 which is mode 0620. So this flaw only affects Fedora.
Eugene had looked at this earlier, and we believe the problem stems from /usr/share/dracut/modules.d/50plymouth/plymouth-pretrigger.sh:
12 [ -c /dev/systty ] || mknod /dev/systty c 4 0
More than likely it's using the system umask to create the file (022).
It also looks as though this issue was introduced in Fedora 11, with plymouth support. For example, on Fedora 10 /dev/systty is mode 0600.
A possible fix would be to mknod -m 600 /dev/systty c 4 0 or make /dev/systty a symlink to /dev/tty0 as it on RHEL6.
I was unable to get anything from /dev/systty, however I'm not really sure what is using /dev/tty0 as looking in /etc/init/start-ttys.conf, we seem to only start tty[1-6] and tty1 is where X is living (i.e. F1). I see no reference to tty0 anywhere (maybe used in runlevel 3, perhaps?).
Tavis, can you provide the command you used to get some information so that we can attempt to duplicate this?
Not vulnerable. This issue did not affect the versions of dracut as
shipped with Red Hat Enterprise Linux 6.
Created dracut tracking bugs for this issue
Affects: fedora-all [bug 654935]
Fixed in Fedora dracut dracut-005-5.fc13 and dracut-006-5.fc14, with workaround / mitigation also added to udev udev-153-5.fc13 and udev-161-7.fc14.