Debian Bug report logs - #244751
/dev/tty[0-9a-z].* should not be world-read/writeable

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jan Minar <jjminar@fastmail.fm>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Cc: debian-security@lists.debian.org

Subject: makedev: /dev/tty([0-9])* should not have 666 permissions

Date: Mon, 19 Apr 2004 23:07:13 +0200

[Message part 1 (text/plain, inline)]

Package: makedev
Version: 2.3.1-58
Severity: important
Tags: security

Hi

Please check the permissions of /dev/tty([0-9])*, they seem to be a
free-for-all, which is no good.

Thanks to Stephen Gran for telling me who to bug.

The following patch would do, afaict:

--- /sbin/MAKEDEV.ORIG	Mon Apr 19 22:58:21 2004
+++ /sbin/MAKEDEV	Mon Apr 19 22:58:39 2004
@@ -14,7 +14,7 @@
 private="  root root   0600"
  system="  root root   0660"
    kmem="  root kmem   0640"
-    tty="  root tty    0666"
+    tty="  root tty    0600"
    cons="  root tty    0600"
     vcs="  root root   0600"
 dialout="  root dialout 0660"

This is the discussion on debian-security that lead to this bugreport:


On Mon, Apr 19, 2004 at 04:15:41PM -0400, Stephen Gran wrote:
> This one time, at band camp, Matt Zimmerman said:
> > On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote:
> > > % ssh kh
> > > jan@kh's password:
> > > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown
> > > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63
> > > % while :; do echo -e '\033[12;63]' > /dev/tty63; done
> > 
> > The relevant permissions are more restrictive with udev:
> > 
> > crw-------    1 root     root       4,  63 2004-03-17 16:23 /dev/tty63
> 
> And on a newly installed sid box:
> crw-------    1 root     tty        4,  63 2004-03-23 16:49 /dev/tty63
>
> No udev here.  Previous installs may have had bad permissions, but
> current ones do not.  Perhaps, Jan, if you're interested, file a bug
> against makedev or one fo the other associated packages, asking them to
> check the permissions on these devices on upgrade, and correct if
> necessary.  Seems trivial enough to do.  A patch would probably not
> hurt.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2

Versions of packages makedev depends on:
ii  base-passwd                   3.4.1      Debian Base System Password/Group 

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 244751@bugs.debian.org (full text, mbox, reply):

From: Phillip Hofmeister <plhofmei@zionlth.org>

To: debian-security@lists.debian.org, 244751@bugs.debian.org

Subject: Re: makedev: /dev/tty([0-9])* should not have 666 permissions

Date: Mon, 19 Apr 2004 17:26:25 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

plhofmei@Oneill:~$ ls -l /dev/tty0
crw-------    1 root     root       4,   0 Jul 19  2002 /dev/tty0
plhofmei@Oneill:~$ ls -l /dev/tty1
crw-------    1 root     root       4,   1 Apr 18 21:03 /dev/tty1
plhofmei@Oneill:~$ ls -l /dev/tty2
crw-------    1 root     root       4,   2 Apr 18 21:03 /dev/tty2
plhofmei@Oneill:~$ ls -l /dev/tty3
crw-------    1 root     root       4,   3 Apr 18 21:03 /dev/tty3
plhofmei@Oneill:~$ ls -l /dev/tty4
crw-------    1 root     root       4,   4 Apr 18 21:03 /dev/tty4
plhofmei@Oneill:~$ ls -l /dev/tty5
crw-------    1 root     root       4,   5 Apr 18 21:03 /dev/tty5
plhofmei@Oneill:~$ ls -l /dev/tty6
crw-------    1 root     root       4,   6 Apr 18 21:03 /dev/tty6

yes, the others are 666.  Does it matter?  Are they used or just
pointless character devices?


On Mon, 19 Apr 2004 at 05:07:13PM -0400, Jan Minar wrote:
> Package: makedev
> Version: 2.3.1-58
> Severity: important
> Tags: security
> 
> Hi
> 
> Please check the permissions of /dev/tty([0-9])*, they seem to be a
> free-for-all, which is no good.
> 
> Thanks to Stephen Gran for telling me who to bug.
> 
> The following patch would do, afaict:
> 
> --- /sbin/MAKEDEV.ORIG	Mon Apr 19 22:58:21 2004
> +++ /sbin/MAKEDEV	Mon Apr 19 22:58:39 2004
> @@ -14,7 +14,7 @@
>  private="  root root   0600"
>   system="  root root   0660"
>     kmem="  root kmem   0640"
> -    tty="  root tty    0666"
> +    tty="  root tty    0600"
>     cons="  root tty    0600"
>      vcs="  root root   0600"
>  dialout="  root dialout 0660"
> 
> This is the discussion on debian-security that lead to this bugreport:
> 
> 
> On Mon, Apr 19, 2004 at 04:15:41PM -0400, Stephen Gran wrote:
> > This one time, at band camp, Matt Zimmerman said:
> > > On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote:
> > > > % ssh kh
> > > > jan@kh's password:
> > > > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown
> > > > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63
> > > > % while :; do echo -e '\033[12;63]' > /dev/tty63; done
> > > 
> > > The relevant permissions are more restrictive with udev:
> > > 
> > > crw-------    1 root     root       4,  63 2004-03-17 16:23 /dev/tty63
> > 
> > And on a newly installed sid box:
> > crw-------    1 root     tty        4,  63 2004-03-23 16:49 /dev/tty63
> >
> > No udev here.  Previous installs may have had bad permissions, but
> > current ones do not.  Perhaps, Jan, if you're interested, file a bug
> > against makedev or one fo the other associated packages, asking them to
> > check the permissions on these devices on upgrade, and correct if
> > necessary.  Seems trivial enough to do.  A patch would probably not
> > hurt.
> 
> -- System Information
> Debian Release: 3.0
> Architecture: i386
> Kernel: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686
> Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2
> 
> Versions of packages makedev depends on:
> ii  base-passwd                   3.4.1      Debian Base System Password/Group 



- -- 
Phillip Hofmeister

PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAhEP5S3Jybf3L5MQRAtfuAJ40TFzSQFCNN0UmbyQtM2QM0mSrUACgjmY2
ssBFqnnpuHMCHOf3qbaKiU4=
=2O8y
-----END PGP SIGNATURE-----

Message #15 received at 244751@bugs.debian.org (full text, mbox, reply):

From: Jan Minar <jjminar@fastmail.fm>

To: debian-security@lists.debian.org, 244751@bugs.debian.org

Subject: Re: makedev: /dev/tty([0-9])* should not have 666 permissions

Date: Mon, 19 Apr 2004 23:50:15 +0200

[Message part 1 (text/plain, inline)]

Hi, Phillip!

Thank for a storm-swift reply 8-)

It seems like they should be 660, not 600, as I suggested (wall(1) and
talkd(1) would break otherwise, probably).

On Mon, Apr 19, 2004 at 05:26:25PM -0400, Phillip Hofmeister wrote:
> yes, the others are 666.  Does it matter?  Are they used or just
> pointless character devices?

Yes, thanks to the escape sequences they are a backdoor to the system;
(don't) try the sploit below, it would keep changing the terminal to
/dev/tty63 so fast, you won't be able to switch back or kill the
offender, not even as a root.  The only remedy would be to connect to
the comp from another terminal (serial, ssh, ...).  On many systems, the
only remedy would be to reboot.  

Although this is of course possible to do locally, the 666 permissions
allow doing this *remotely*; even with a guest account, for example.  Or
in a at(1) entry, or crontab. 

I'd getting more and more convinced this should be tagged critical.

> On Mon, 19 Apr 2004 at 05:07:13PM -0400, Jan Minar wrote:
> > > > > % ssh kh
> > > > > jan@kh's password:
> > > > > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown
> > > > > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63
> > > > > % while :; do echo -e '\033[12;63]' > /dev/tty63; done

The last line is important.

-- 
   "To me, clowns aren't funny. In fact, they're kind of scary. I've wondered
 where this started and I think it goes back to the time I went to the circus,
			  and a clown killed my dad."

[Message part 2 (application/pgp-signature, inline)]

Message #20 received at 244751@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: 244751@bugs.debian.org

Subject: Re: makedev: /dev/tty([0-9])* should not have 666 permissions

Date: Mon, 19 Apr 2004 14:20:13 -0700

Please copy team@security.debian.org with your assessment of this bug, the
proposed fix, and any action that should be taken with regard to woody.

-- 
 - mdz

Message #25 received at 244751@bugs.debian.org (full text, mbox, reply):

From: Russell Coker <russell@coker.com.au>

To: debian-security@lists.debian.org

Cc: Jan Minar <jjminar@fastmail.fm>, 244751@bugs.debian.org

Subject: Re: makedev: /dev/tty([0-9])* should not have 666 permissions

Date: Tue, 20 Apr 2004 11:40:13 +1000

On Tue, 20 Apr 2004 07:50, Jan Minar <jjminar@fastmail.fm> wrote:
> It seems like they should be 660, not 600, as I suggested (wall(1) and
> talkd(1) would break otherwise, probably).

What prevents wall from sending those escape sequences?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Message #30 received at 244751@bugs.debian.org (full text, mbox, reply):

From: Jan Minar <jjminar@fastmail.fm>

To: 244751@bugs.debian.org

Cc: Jan Minar <jan@haltyr.bohnice.centrum.czf>

Subject: Re: makedev: /dev/tty([0-9])* should not have 666 permissions

Date: Tue, 20 Apr 2004 07:00:23 +0200

[Message part 1 (text/plain, inline)]

On Tue, Apr 20, 2004 at 11:40:13AM +1000, Russell Coker wrote:
> On Tue, 20 Apr 2004 07:50, Jan Minar <jjminar@fastmail.fm> wrote:
> > It seems like they should be 660, not 600, as I suggested (wall(1) and
> > talkd(1) would break otherwise, probably).
> 
> What prevents wall from sending those escape sequences?

Good intentions of its coders -- they are filtered out (or they should
be).  Both talkd & wall are sgid tty, and they are controlled channels
of writing things to the user terminal(s).  The user can dismiss them by
``mesg n''.

Maybe the escape sequences should be banned altogether, but even then
wall & talkd should be allowed to do their job.

-- 
   "To me, clowns aren't funny. In fact, they're kind of scary. I've wondered
 where this started and I think it goes back to the time I went to the circus,
			  and a clown killed my dad."

[Message part 2 (application/pgp-signature, inline)]

Message #37 received at 244751-close@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: 244751-close@bugs.debian.org

Subject: Bug#244751: fixed in makedev 2.3.1-67

Date: Fri, 23 Apr 2004 18:47:03 -0400

Source: makedev
Source-Version: 2.3.1-67

We believe that the bug you reported is fixed in the latest version of
makedev, which is due to be installed in the Debian FTP archive:

makedev_2.3.1-67.diff.gz
  to pool/main/m/makedev/makedev_2.3.1-67.diff.gz
makedev_2.3.1-67.dsc
  to pool/main/m/makedev/makedev_2.3.1-67.dsc
makedev_2.3.1-67_all.deb
  to pool/main/m/makedev/makedev_2.3.1-67_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 244751@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated makedev package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 23 Apr 2004 16:06:41 -0600
Source: makedev
Binary: makedev
Architecture: source all
Version: 2.3.1-67
Distribution: unstable
Urgency: medium
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 makedev    - Creates device files in /dev
Closes: 244751 245441
Changes: 
 makedev (2.3.1-67) unstable; urgency=medium
 .
   * change default permission on tty devices from 0666 to 0660, which makes
     denial of service attacks on the console by local users harder,
     closes: #244751
   * if udev is running and we're in /dev, relocate to /etc/udev/.dev/,
     thus avoiding the need for a diversion, closes: #245441
   * urgency cranked up to get these into testing soonish
Files: 
 713973b14cde3374c1b6c0b4467f31a7 552 base required makedev_2.3.1-67.dsc
 c126a8ed66dfdeb29a7429e4fc0da235 45118 base required makedev_2.3.1-67.diff.gz
 f0ca2af6a493f6329447349ecc2d6e1e 39074 base required makedev_2.3.1-67_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAiZo/ZKfAp/LPAagRAgF2AJ9aV7z/gpCAyjNrI8TRr4wg+XQjyQCdE5ZZ
4uLHrSdlLS9s5C2QimoRvPo=
=PzCZ
-----END PGP SIGNATURE-----

Message #42 received at 244751@bugs.debian.org (full text, mbox, reply):

From: Jan Minar <jjminar@fastmail.fm>

To: 244751@bugs.debian.org, debian-devel@lists.debian.org

Subject: /dev/tty[0-9]* should be chmod 0620, not 0660 -- or not? [Was: Bug#244751 acknowledged by developer (Bug#244751: fixed in makedev 2.3.1-67)]

Date: Sat, 24 Apr 2004 16:48:30 +0200

[Message part 1 (text/plain, inline)]

On Fri, Apr 23, 2004 at 04:03:06PM -0700, Debian Bug Tracking System wrote:
>    * change default permission on tty devices from 0666 to 0660, which makes
>      denial of service attacks on the console by local users harder,
>      closes: #244751

0660 probably is too much; 0620 would be probably more appropriate.
Would any of your devel people have problems with /dev/tty[0-9]* being
not group readable?

Please do CC me, I'm not subscribed to debian-devel.

Cheers,
Jan.


Supportive evidence:

Judging by the example of ptys:

% ls -l /dev/pts/
total 0
cr--------    1 jan      tty      136,   1 Apr 24 16:36 1
crw--w----    1 jan      tty      136,  11 Apr 24 16:31 11
crw--w----    1 jan      tty      136,   2 Apr 24 14:43 2
crw--w----    1 jan      tty      136,   3 Apr 24 16:11 3
crw--w----    1 jan      tty      136,   7 Apr 24 16:36 7
    ^^^

Now the only programs I have here which are sgid tty are these 2:

-rwxr-sr-x    1 root     tty          9736 Dec 24  2002 /usr/bin/wall
-rwxr-sr-x    1 root     tty          7540 Jul  4  2002 /usr/bin/write

..And I know of one other one: talkd. These wouldn't use read
permissions, afaik.

-- 
   "To me, clowns aren't funny. In fact, they're kind of scary. I've wondered
 where this started and I think it goes back to the time I went to the circus,
			  and a clown killed my dad."

[Message part 2 (application/pgp-signature, inline)]

Message #47 received at 244751@bugs.debian.org (full text, mbox, reply):

From: Jan Minar <jjminar@fastmail.fm>

To: 244751@bugs.debian.org

Subject: /dev/tty must be 666

Date: Sun, 25 Apr 2004 03:07:35 +0200

[Message part 1 (text/plain, inline)]

On Fri, Apr 23, 2004 at 04:03:06PM -0700, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> #244751: makedev: /dev/tty([0-9])* should not have 666 permissions,

>    * change default permission on tty devices from 0666 to 0660, which makes
>      denial of service attacks on the console by local users harder,
>      closes: #244751

But /dev/tty apparently must be 0666.  ssh, gpg, and other stuff that
uses /dev/tty to ensure it's talking to the terminal (i.e. mostly
security thingies, got b0rked).


02:33 < mosty> i just did an upgrade on sid, which upgraded gaim and
makedev, and it seems to have broken ssh.  whenever i try to ssh to
another host, i get "ssh_askpass: exec(/usr/bin/ssh-askpass): No such
file or directory".
02:33 < robochan> mosty: ditto
02:34 < mosty> robochan, have you been able to track down any reasons
why this happened?
02:36 < mosty> robochan, works as root here too
02:39 < mosty> threefold, you mean in woody? hell no
02:47 < mosty> def, why won't it work?
02:54 < robochan> mosty: chmod 666 /dev/tty
02:55 < robochan> mosty: that should fix it
02:56 < mosty> robochan, ahh, naughty makedev
02:56 < mosty> thanks
02:57 < rdancer> mosty: please ls -l /dev/tty for me
02:57 < robochan> yup...the changelog forit mentioned the permchanges
02:58 < robochan> rdancer: rw-rw--- before rw-rw-rw after

Thanks.
Jan.

-- 
   "To me, clowns aren't funny. In fact, they're kind of scary. I've wondered
 where this started and I think it goes back to the time I went to the circus,
			  and a clown killed my dad."

[Message part 2 (application/pgp-signature, inline)]

Message #52 received at 244751@bugs.debian.org (full text, mbox, reply):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

To: 244751@bugs.debian.org

Cc: jjminar@fastmail.fm

Subject: See #245735

Date: Sun, 25 Apr 2004 17:12:16 +0200

Refer to #245735, which describes the problem when /dev/tty is changed
too.

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl

Message #57 received at 244751@bugs.debian.org (full text, mbox, reply):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

To: Matt Zimmerman <mdz@debian.org>, team@security.debian.org

Cc: 244751@bugs.debian.org, control@bugs.debian.org

Subject: Re: makedev: /dev/tty([0-9])* should not have 666 permissions

Date: Sun, 25 Apr 2004 18:01:23 +0200

reopen 244751 
thanks

On Mon, Apr 19, 2004 at 02:20:13PM -0700, Matt Zimmerman wrote:
> Please copy team@security.debian.org with your assessment of this bug, the
> proposed fix, and any action that should be taken with regard to woody.

This bug is fixed in sid, but present in woody, therefore reopening,
keeping tags woody+security.

My personal assassment (note: IANADD, also not the maintainer for this
package):

With this bug present, any process in the system, that is, any user
logged in or for example able to write to a random file, can 'control'
an unused virtual terminal, because  /dev/tty[0-9]* is world writeable
for high, unused tty's.

With unused terminals, one can't do much if I understand correctly, but
one CAN use it to change terminals on the computer, simulating a
Ctrl+Alt+F1-6 so to say. If done in a while loop, the user physically in
front of the computer loses control and can't fix it, it's display and
controlling keyboard are switching too fast. Remove logons, f.e. via ssh
login, are not affected by this.

Proposed fix: a new makedev fixing up /dev/tty[0-9]* permissions towards
0660, world read/writeability isn't needed.

NOTE: /dev/tty[0-9]* is a shell glob pattern, NOT a regex. Concrete:
/dev/tty should really remain 0666.

--Jeroen

-- 
Jeroen van Wolffelaar
jeroen@wolffelaar.nl
http://jeroen.A-Eskwadraat.nl

Message #62 received at 244751@bugs.debian.org (full text, mbox, reply):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

To: Matt Zimmerman <mdz@debian.org>, team@security.debian.org

Cc: 244751@bugs.debian.org, control@bugs.debian.org

Subject: Re: makedev: /dev/tty([0-9])* should not have 666 permissions

Date: Sun, 25 Apr 2004 18:09:06 +0200

retitle 244751 /dev/tty[0-9a-z].* should not be world-read/writeable
thanks

This actually is about /dev/tty[0-9a-z].*, /dev/ttyS.* are already okay on 
woody systems, and /dev/ttyaz etc should be fixed too.

--Jeroen

-- 
Jeroen van Wolffelaar
jeroen@wolffelaar.nl
http://jeroen.A-Eskwadraat.nl

Message #71 received at 244751@bugs.debian.org (full text, mbox, reply):

From: Osamu Aoki <osamu@debian.org>

To: Jan Minar <jjminar@fastmail.fm>, 244751@bugs.debian.org, debian-devel@lists.debian.org

Subject: Re: /dev/tty[0-9]* should be chmod 0620, not 0660 -- or not? [Was: Bug#244751 acknowledged by developer (Bug#244751: fixed in makedev 2.3.1-67)]

Date: Tue, 27 Apr 2004 00:07:59 +0200

Hi,  I am wandering how others felt on this 244751 fix.  I felt this will
cause hassles for all local admin but does not really provide any gains
in the aimed objective.

On Sat, Apr 24, 2004 at 04:48:30PM +0200, Jan Minar wrote:
> On Fri, Apr 23, 2004 at 04:03:06PM -0700, Debian Bug Tracking System wrote:
> >    * change default permission on tty devices from 0666 to 0660, which makes
> >      denial of service attacks on the console by local users harder,
> >      closes: #244751
> 
> 0660 probably is too much; 0620 would be probably more appropriate.
> Would any of your devel people have problems with /dev/tty[0-9]* being
> not group readable?

I do not quite understand above but this new change of /sbin/MAKEDEV
certainly caused me to change my entire system.  Now I have to list all
real uses as group "tty" to be able to use gpg, mutt/url_view etc.  So
many packages are affected.  /dev/tty?? is one thing but putting
restrictive permission to /dev/tty has caused hassle for me.

> Now the only programs I have here which are sgid tty are these 2:
> 
> -rwxr-sr-x    1 root     tty          9736 Dec 24  2002 /usr/bin/wall
> -rwxr-sr-x    1 root     tty          7540 Jul  4  2002 /usr/bin/write

In my system:
-rwxr-sr-x    1 root     tty          7960 Apr 11 01:27 bsd-write
-rwxr-sr-x    1 root     tty          9816 Dec  7 04:35 wall

> ..And I know of one other one: talkd. These wouldn't use read
> permissions, afaik.

I wonder if we all want to put sgid tty for all tty accessing program
such as gpg. (Alternatively adding everyone to tty group)

Also, I wonder how much we gained from this fix.  As long as we have
sgid tty program such as wall, we can write to terminal doing some damage :)

I am talking issues solved by this fix:
 With this bug present, any process in the system, that is, any user
 logged in or for example able to write to a random file, can 'control'
 an unused virtual terminal, because  /dev/tty[0-9]* is world writable
 for high, unused tty's.

With such sgid programs, anyone have decent access to these terminals.

Am I confused about situation?

If we want to limit the console access to /dev/tty, it looks to me that
we may need a bit careful arrangement.

Osamu

Message #76 received at 244751@bugs.debian.org (full text, mbox, reply):

From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>

To: Jan Minar <jjminar@fastmail.fm>

Cc: 244751@bugs.debian.org, debian-devel@lists.debian.org

Subject: Re: /dev/tty[0-9]* should be chmod 0620, not 0660 -- or not?

Date: Tue, 27 Apr 2004 00:58:50 +0200

Osamu Aoki <osamu@debian.org> writes:

> I am talking issues solved by this fix:
>  With this bug present, any process in the system, that is, any user
>  logged in or for example able to write to a random file, can 'control'
>  an unused virtual terminal, because  /dev/tty[0-9]* is world writable
>  for high, unused tty's.
>
> With such sgid programs, anyone have decent access to these terminals.
>
> Am I confused about situation?
>
> If we want to limit the console access to /dev/tty, it looks to me that
> we may need a bit careful arrangement.
>
> Osamu

You can start your own login prompt on an unused tty and record users
passwords. I think this is a very real secruity risk. The sgid tty
programs are hopefully bugfree so they can't be used to start a fake
login programm on a tty or similar.

With devfs /dev/tty is

crw-rw-rw-    1 root     root       5,   0 Apr 27 00:15 /dev/tty

so ssh, gpg, su, ... all work as expected. But /dev/vc/* (/dev/tty??)
is:

crw-------    1 root     root       4,   0 Jan  1  1970 0
crw-------    1 mrvn     tty        4,   1 Apr 27 00:43 1
crw-------    1 root     root       4,  10 Jan  1  1970 10
crw-------    1 root     root       4,  11 Jan  1  1970 11
crw-------    1 mrvn     mrvn       4,   7 Jan  1  1970 7

Running "mesg y" on the console gives:

crw--w----    1 mrvn     tty        4,   1 Apr 27 00:55 1

I haven't seen any software fail because of this.

MfG
        Goswin

Message #81 received at 244751@bugs.debian.org (full text, mbox, reply):

From: Osamu Aoki <osamu@debian.org>

To: Jan Minar <jjminar@fastmail.fm>, 244751@bugs.debian.org, debian-devel@lists.debian.org

Subject: Re: /dev/tty[0-9]* should be chmod 0620, not 0660 -- or not? [Was: Bug#244751 acknowledged by developer (Bug#244751: fixed in makedev 2.3.1-67)]

Date: Tue, 27 Apr 2004 01:02:51 +0200

Hi,

On Tue, Apr 27, 2004 at 12:07:59AM +0200, Osamu Aoki wrote:
> Hi,  I am wandering how others felt on this 244751 fix.  I felt this will
> cause hassles for all local admin but does not really provide any gains
> in the aimed objective.
...
> I do not quite understand above but this new change of /sbin/MAKEDEV
> certainly caused me to change my entire system.  Now I have to list all
> real uses as group "tty" to be able to use gpg, mutt/url_view etc.  So
> many packages are affected.  /dev/tty?? is one thing but putting
> restrictive permission to /dev/tty has caused hassle for me.

Although it has not shown up on my moirror, fix seens to be up.  So I
will wait.  Thanks.

Osamu

Message #86 received at 244751@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: Osamu Aoki <osamu@debian.org>

Cc: 244751@bugs.debian.org

Subject: Re: Bug#244751: /dev/tty[0-9]* should be chmod 0620, not 0660 -- or not?

Date: Mon, 26 Apr 2004 19:45:39 -0600

Osamu Aoki <osamu@debian.org> writes:

> /dev/tty?? is one thing but putting
> restrictive permission to /dev/tty has caused hassle for me.

I'm sorry, that was just a bug.  I did not intend to change the permissions
of /dev/tty.

This is fixed in -68.

Bdale

Message #91 received at 244751-done@bugs.debian.org (full text, mbox, reply):

From: bdale@gag.com (Bdale Garbee)

To: 244751-done@bugs.debian.org

Subject: fixed

Date: Sun, 30 May 2004 00:01:40 -0300 (BRT)

This was fixed in -68.

Bdale

Send a report that this bug log contains spam.