[18422] in bugtraq
Re: Securax Advisory 13
daemon@ATHENA.MIT.EDU (Jarno Huuskonen)
Wed Jan 3 18:00:42 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010103231044.A6267@laivuri63.uku.fi>
Date: Wed, 3 Jan 2001 23:10:44 +0200
Reply-To: Jarno Huuskonen <jhuuskon@MESSI.UKU.FI>
From: Jarno Huuskonen <jhuuskon@MESSI.UKU.FI>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <01010306354802.02032@localhost.localdomain>; from
teleh0r@DOGLOVER.COM on Wed, Jan 03, 2001 at 06:35:48AM +0100
On Wed, Jan 03, teleh0r wrote:
> The problem is the way that the telnet daemon assigns a new user
> a terminal - when a user is telling the telnetd who he is, and
> what his password is, his terminal will be awaiting in /dev/pts/
> and writable by anyone. As soon as he has logged in, it will not.
It's the /bin/login (from util-linux package) that sets the /dev/pts/?
to mode 0622. (I think that when telnetd creates the tty in /dev/pts it's
created with gid=5,mode=0620 (or how you have mounted /dev/pts)).
Here's the code from util-linux-2.10f/login-utils/login.c
if((chown(ttyn, 0, 0) == 0) && (chmod(ttyn, 0622) == 0)) {
tcsetattr(0,TCSAFLUSH,&ttt);
signal(SIGHUP, SIG_IGN); /* so vhangup() wont kill us */
vhangup();
signal(SIGHUP, SIG_DFL);
}
Can somebody explain why on earth the tty mode is set to 0622 during
authentication (instead of 0600 or something similar) ?
What's going to break if I patch the chmod call to 0600 (at least telnetd
seems to work) ?
-Jarno
PS. At least AIX 4.3.3 seems to set the /dev/pts/? to:
c--------- 1 root system 28, 3 Jan 03 23:06 3
during telnet auth.
--
Jarno Huuskonen - System Administrator | Jarno.Huuskonen@uku.fi
University of Kuopio - Computer Centre | Work: +358 17 162822
PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169
