[10820] in bugtraq
Re: RedHat 6.0, /dev/pts permissions bug when using xterm
daemon@ATHENA.MIT.EDU (Brian D. Winters)
Mon Jun 14 15:44:24 1999
Mail-Followup-To: BUGTRAQ@netspace.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990614104608.B22323@flake.dyndns.org>
Date: Mon, 14 Jun 1999 10:46:08 -0700
Reply-To: "Brian D. Winters" <brianw@ALUMNI.CALTECH.EDU>
From: "Brian D. Winters" <brianw@ALUMNI.CALTECH.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990611112941.A3686@penguin.wunsch.org>; from Scott Wunsch on
Fri, Jun 11, 1999 at 11:29:42AM -0600
On Fri, Jun 11, 1999 at 11:29:42AM -0600, Scott Wunsch wrote:
> > This is not sufficient when using rxvt and apparently several other
> > xterm-a-likes. By default rxvt overides the gid with the user's gid
> > and changes the permissions to 622, even if the permissions specified
> > in fstab are more restrictive than 622. The solution with rxvt is to
> > pass --enable-ttygid to the configure script.
>
> I've been playing with this, and --enable-ttygid isn't enough either. It looks
> like rxvt has to bee suid root in order to set the gid on the tty. Mortals
> can't do it:
>
> [scott@pytheas] ~$ chgrp tty /dev/pts/1
> chgrp: you are not a member of group `tty': Operation not permitted
>
>
> So which one is the bigger security risk? Suid root xterms or world-writable
> pseudottys?
Sorry to respond a few days late, but it just occurred to me what you
are missing here. My rxvt is not suid or sgid, because /dev/pts is
mounted with tty as the default group, which was mentioned earlier as
being part of the solution:
none /dev/pts devpts gid=5,mode=620 0 0
On my system gid 5 is tty. So, if you do that and use the
--enable-ttygid switch when you build rxvt, you have no world writable
pseudottys and rxvt has no special privileges. Sounds to me like that
is as good as it gets.
Brian
