[10752] in bugtraq
Re: Red Hat 6.0, /dev/pts permissions bug when using xterm
daemon@ATHENA.MIT.EDU (Patrick Stoddard)
Tue Jun 8 13:13:58 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <005001beb140$51b1c260$01c559cc@cirs1.cirs.org>
Date: Mon, 7 Jun 1999 16:49:01 -0700
Reply-To: Patrick Stoddard <patrick@CIRS.ORG>
From: Patrick Stoddard <patrick@CIRS.ORG>
To: BUGTRAQ@NETSPACE.ORG
After seeing the previous message on this topic, I looked at my Red Hat 6.0
system (with the 2.2.5-22 kernel upgrade from Red Hat), and found that his
message is correct - when using a "gnome-terminal", as opposed to "xterm" or
"nxterm". All 3 types of terminals use the /dev/pts/(number) with this
version of Red Hat 6.0, but it looks like if you launch an "xterm" or
"nxterm" the permissions for those terminal windows are set like this:
crw--w---- 1 stoddard stoddard 136, 0 Jun 7 23:44 0
This would appear to give only my user login and group "stoddard" (on my
system, that group only has one user) write access to that terminal window.
It appears that the problem is with the "gnome-terminal" program, part of
the "gnome-core" RPM from the Red Hat 6.0 install (specifically, on my
system, that would be gnome-core-1.0.4-34.i386.rpm), that is susceptible to
the attacks mentioned in the previos message (and I have been able to do the
"cat /dev/urandom > /dev/pts/(number)" and see the random stream of
characters on that window.
Patrick Stoddard, M.I.S. Manager
Community Information & Referral
1515 E. Osborn Road
Phoenix AZ 85014-5390
E-mail: patrick@cirs.org
