[2476] in bugtraq
Re: World writable devices in Irix?
daemon@ATHENA.MIT.EDU (Douglas Siebert)
Thu Jan 4 17:34:50 1996
Date: Wed, 3 Jan 1996 21:52:18 -0600
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Douglas Siebert <dsiebert@icaen.uiowa.edu>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <9601021621.ZM20814@ukwit01> from "Lack Mr G M" at Jan 2,
96 04:21:48 pm
>
> On Dec 21, 8:52pm, Diego Zamboni wrote:
> > Subject: World writable devices in Irix?
> >
> > I'm just speculating here (I'm not an expert on Irix internals), but the
> > following default permissions in Irix 5.3 look a bit dangerous to me:
> >
> > crw-rw-rw- 1 root sys 10, 56 Sep 11 1995 /dev/gfx
> > crw-rw-rw- 2 root sys 0, 30 Sep 11 1995 /dev/keybd
> > crw-rw-rw- 2 root sys 0, 31 Sep 11 1995 /dev/mouse
> >
> > Does this mean that anybody can read/write to the graphics display, the
> > keyboard and the mouse?
>
> I expect it does. But note that there is also:
>
> crw-rw-rw- 1 root sys 39, 0 Mar 4 1994 /dev/audio
>
> which means that anyone can listen in to what is being said around your
> workstation.
>
> *ALL* such devices *SHOULD* have their ownership and permissions set to
> what is required by the Xstartup script (in /usr/lib/X11/xdm == /var/X11/xdm).
> They should also be reset to be owned by root (and not necessarily
> work-readable, otherwise you could snoop on the /dev/audio of a workstation
> which isn't being used) by the Xreset file.
>
> However, I haven't yet seen a workstation that has any device file
> configuring done in these two files. And it is not necessarily obvious which
> device files need to be changed, and what permission bits need to be set.
>
> Workstation vendors *SHOULD* add these parts themselves (they are the ones
> who really know which device does what). At the very least they could put them
> into an if clause which you have to edit to activate. But they *SHOULD* add
> the relevent code themselves.....
>
> I look forward to hearing whether any vendor actually does do this. I
> will be even more impressed if there is one which does it correctly (and
> adds/changes lines as new devices are added!!).
>
I recall that SunOS (and surely Solaris) set at least some of these correctly
using /etc/fbtab to be owned by the user who logs in to the console. I would
expect they aren't the only vendor doing this -- though I do recall Sun's fix
was only partial (but that's better than nothing)
Me and another guy around here recently sent HP a very long listing of all
stuff in the 10.01 install we felt had bad permission, including such problems
as the compiler group screwing up and having many compilers installed with
everything 777, kermit being setuid bin, plenty of world-writable device files
in /dev, etc. Supposedly it is making its way through to people who can do
something about things in HP, but I expect that we'll only see some, but not
all of those changes. HP-UX 10.10 was in FR3 a couple weeks ago, so none of
this will make it in that (other than maybe the 777 compiler stuff) but I
would expect (hope?) that I will see some of our fixes applied to 10.15 or
10.20 later this year.
We're planning on keeping after them on this, having to hunt for and fix these
things is annoying. I'd encourage others out there who may have some good
contacts within their respective vendors do the same -- but only if you are
sure you know the difference between permissions that are set in a certain
way because they need to be, and ones that are just carelessness or simple
convenience or laziness. It wouldn't take more than a couple "fixes" being
suggested that break something before they'd probably dump the whole mess and
figure its not worth the trouble. We tried to categorize ours into definite
problems, likely problems, and possible problems. Almost all aren't true
security holes, but having world-writeable files in a system directory isn't
a good idea, IMHO, even if the worst they can do is fill up the partition in
which that file resides or hide that copy of the Linux source outside of
their quota until they get a chance to download it over the weekend.
--
Doug Siebert
dsiebert@icaen.uiowa.edu
