[10745] in bugtraq
Re: RedHat 6.0, /dev/pts permissions bug when using xterm
daemon@ATHENA.MIT.EDU (Michael Jennings)
Tue Jun 8 12:29:25 1999
Mail-Followup-To: noc-wage <wage@IDIRECT.CA>, BUGTRAQ@NETSPACE.ORG
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990607125251.X4546@mw.3com.com>
Date: Mon, 7 Jun 1999 12:52:51 -0500
Reply-To: Michael Jennings <Michael_Jennings@MW.3COM.COM>
From: Michael Jennings <Michael_Jennings@MW.3COM.COM>
X-To: noc-wage <wage@IDIRECT.CA>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <86256789.00600106.00@mwgate02.mw.3com.com>; from "noc-wage" on
Sunday, 06 June 1999, at 19:15:05 (+0000)
On Sunday, 06 June 1999, at 19:15:05 (+0000),
noc-wage wrote:
> In the case of RedHat 6.0 with regular remote connections (like telnet)
> the standard permissions are as follows:
>
> crw--w---- 1 ov3r tty 136, 0 Jun 6 12:32 /dev/pts/0
>
> Here it's almost the same except that group "tty" also has write access.
>
>
> The problem lies in the way that the permissions are set for local
> connections with the X server using xterm.
> if you do an ls -l /dev/pts/<the xterm's tty> (we will use pts/0)
> You get:
> crw--w--w- 1 ov3r ov3r 136, 0 Jun 6 12:32 /dev/pts/0
>
> Notice how now "everyone" has write access to this terminal?
If compiled with USE_TTY_GROUP defined, xterm checks for the "tty"
group. If it exists, the permissions on the terminal device are set
to 0620. If it does not exist, or if USE_TTY_GROUP is not defined,
the permissions are set to 0622.
You can fix this by either recompiling with USE_TTY_GROUP defined, or
by editing main.c and changing the permissions there.
Since Eterm was mentioned, I will go ahead and say this. If Eterm is
has sufficient permissions (either by being installed setuid root or
by being executed by the owner of the tty), it will change the
ownership and permissions on the device to 0620. If it cannot change
the permissions on the device, any vulnerabilities resulting therefrom
are the responsibility of the system administrator. No current
version of Eterm sets the permissions on any device file to 0622 under
Linux.
Michael
--
=======================================================================
Michael Jennings <mej@mw.3com.com> Co-author, Eterm (www.eterm.org)
UNIX Administrator, 3Com Corp., Chicago, IL www.tcserv.com
