(I'm copying so much text because the original didn't make it to debian-user)
Helge Hafting <[EMAIL PROTECTED]> writes: > In <[EMAIL PROTECTED]>, on 09/15/98 > at 10:08 AM, Daniel Martin <[EMAIL PROTECTED]> said: > > >"Paul M. Foster" <[EMAIL PROTECTED]> writes: > > [...] > >> 2) Is there a liability to changing the permissions on these device files > >> so that regular users have r/w access to them? > >Well, how comfortable are you with the ability of anyone logged in (or > >even with a process running) on your machine being able to grab the > >contents of any of the virtual consoles? If you do this, then anyone > >will be able to grab anything that appears on the screen. It's not as > >bad as xhost +, since they won't be able to send keys to, say, your root > >shell, but the ability to log everything may be a bit unnerving. Also, > >there's major nuisance potential since they could make any virtual screen > >display anything. > > I havent tested this yet, but consider the following: > There is a file in /etc (sorry, don't remember which one) > that can specify what groups a user will be added to when logging in on > the console. One documented use for this is to grant membership to group > "audio" so that anyone currently logged in on the console may use the > audio device. Surely this trick could work with /dev/vcsa*, set the > group to audio or create a new group for this purpose. > > Note that the audio trick isn't on by default, you must edit that file. > (Do a "grep audio /etc/*" in order to find what file this is in.) The > reason is that a hacker user is able to get permanent membership in the > groups listed. Using this is still better than granting anybody access to > /dev/vcsa as many users don't know the hack involved, and I believe they > need to use the console in order to do it. No problem if the hacker never > get near the console. True; (the file is /etc/login.defs). However, I'd not call the way one gets access to one of these groups permanently a "hack" - I'd call it basic Unix knowledge. (I mean, if you know what it means to have a program setgid and know how to make a program setgid, you've got it). But yes, if the console is in a secure environment, then there's no risk in doing this.