-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [EMAIL PROTECTED]:~$ ls -l /dev/tty0 crw------- 1 root root 4, 0 Jul 19 2002 /dev/tty0 [EMAIL PROTECTED]:~$ ls -l /dev/tty1 crw------- 1 root root 4, 1 Apr 18 21:03 /dev/tty1 [EMAIL PROTECTED]:~$ ls -l /dev/tty2 crw------- 1 root root 4, 2 Apr 18 21:03 /dev/tty2 [EMAIL PROTECTED]:~$ ls -l /dev/tty3 crw------- 1 root root 4, 3 Apr 18 21:03 /dev/tty3 [EMAIL PROTECTED]:~$ ls -l /dev/tty4 crw------- 1 root root 4, 4 Apr 18 21:03 /dev/tty4 [EMAIL PROTECTED]:~$ ls -l /dev/tty5 crw------- 1 root root 4, 5 Apr 18 21:03 /dev/tty5 [EMAIL PROTECTED]:~$ ls -l /dev/tty6 crw------- 1 root root 4, 6 Apr 18 21:03 /dev/tty6
yes, the others are 666. Does it matter? Are they used or just pointless character devices? On Mon, 19 Apr 2004 at 05:07:13PM -0400, Jan Minar wrote: > Package: makedev > Version: 2.3.1-58 > Severity: important > Tags: security > > Hi > > Please check the permissions of /dev/tty([0-9])*, they seem to be a > free-for-all, which is no good. > > Thanks to Stephen Gran for telling me who to bug. > > The following patch would do, afaict: > > --- /sbin/MAKEDEV.ORIG Mon Apr 19 22:58:21 2004 > +++ /sbin/MAKEDEV Mon Apr 19 22:58:39 2004 > @@ -14,7 +14,7 @@ > private=" root root 0600" > system=" root root 0660" > kmem=" root kmem 0640" > - tty=" root tty 0666" > + tty=" root tty 0600" > cons=" root tty 0600" > vcs=" root root 0600" > dialout=" root dialout 0660" > > This is the discussion on debian-security that lead to this bugreport: > > > On Mon, Apr 19, 2004 at 04:15:41PM -0400, Stephen Gran wrote: > > This one time, at band camp, Matt Zimmerman said: > > > On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: > > > > % ssh kh > > > > [EMAIL PROTECTED]'s password: > > > > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown > > > > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63 > > > > % while :; do echo -e '\033[12;63]' > /dev/tty63; done > > > > > > The relevant permissions are more restrictive with udev: > > > > > > crw------- 1 root root 4, 63 2004-03-17 16:23 /dev/tty63 > > > > And on a newly installed sid box: > > crw------- 1 root tty 4, 63 2004-03-23 16:49 /dev/tty63 > > > > No udev here. Previous installs may have had bad permissions, but > > current ones do not. Perhaps, Jan, if you're interested, file a bug > > against makedev or one fo the other associated packages, asking them to > > check the permissions on these devices on upgrade, and correct if > > necessary. Seems trivial enough to do. A patch would probably not > > hurt. > > -- System Information > Debian Release: 3.0 > Architecture: i386 > Kernel: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 > Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 > > Versions of packages makedev depends on: > ii base-passwd 3.4.1 Debian Base System Password/Group - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAhEP5S3Jybf3L5MQRAtfuAJ40TFzSQFCNN0UmbyQtM2QM0mSrUACgjmY2 ssBFqnnpuHMCHOf3qbaKiU4= =2O8y -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
