Re: devfsd permissions and makedev permissions coordination
On Sep 11, Daniel Jacobowitz <[EMAIL PROTECTED]> wrote: >> >> This is obviously wrong, ttys must have 620 permissions (or 600 if you >> >> don't want people talk(1)ing to you, but I think the default should be >> >> to allow it). >> >For ttys "owned" by a shell that's true, but it's set up by login(1), not >> >MAKEDEV (or devfsd). For other ttys (vcs, not serial etc.), the current >> If you use open(1) you get 666 ttys. This is a problem IMO. >Sounds to me like a bug in open(1) then, no? Does it at least chown() >them to the user opening them? Yes, because this is what it's expected to do. But I see no good reason for devfsd to create devices with insecure permissions. -- ciao, Marco -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: devfsd permissions and makedev permissions coordination
On Mon, Sep 11, 2000 at 01:18:02PM +0200, Marco d'Itri wrote: > On Sep 11, Tom Lees <[EMAIL PROTECTED]> wrote: > > >> This is obviously wrong, ttys must have 620 permissions (or 600 if you > >> don't want people talk(1)ing to you, but I think the default should be > >> to allow it). > >For ttys "owned" by a shell that's true, but it's set up by login(1), not > >MAKEDEV (or devfsd). For other ttys (vcs, not serial etc.), the current > If you use open(1) you get 666 ttys. This is a problem IMO. Sounds to me like a bug in open(1) then, no? Does it at least chown() them to the user opening them? Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: devfsd permissions and makedev permissions coordination
On Sep 11, Tom Lees <[EMAIL PROTECTED]> wrote: >> This is obviously wrong, ttys must have 620 permissions (or 600 if you >> don't want people talk(1)ing to you, but I think the default should be >> to allow it). >For ttys "owned" by a shell that's true, but it's set up by login(1), not >MAKEDEV (or devfsd). For other ttys (vcs, not serial etc.), the current If you use open(1) you get 666 ttys. This is a problem IMO. -- ciao, Marco -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: devfsd permissions and makedev permissions coordination
On Sun, Sep 10, 2000 at 09:56:30PM +0200, Marco d'Itri wrote: > On Sep 10, Tom Lees <[EMAIL PROTECTED]> wrote: > > >Terminal devices [1]root.tty 0666 > This is obviously wrong, ttys must have 620 permissions (or 600 if you > don't want people talk(1)ing to you, but I think the default should be > to allow it). > It's a huge security hole because with a ioctl you can inject commands > into shells not owned by you. For ttys "owned" by a shell that's true, but it's set up by login(1), not MAKEDEV (or devfsd). For other ttys (vcs, not serial etc.), the current behaviour of MAKEDEV is to create them root.root 0666. Serial devices are created root.dialout 0660. -- Tom Lees <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: devfsd permissions and makedev permissions coordination
On Sep 10, Tom Lees <[EMAIL PROTECTED]> wrote: >Terminal devices [1] root.tty 0666 This is obviously wrong, ttys must have 620 permissions (or 600 if you don't want people talk(1)ing to you, but I think the default should be to allow it). It's a huge security hole because with a ioctl you can inject commands into shells not owned by you. -- ciao, Marco -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
