180120 – net-dialup/minicom can be started by any user

Bug 180120 - net-dialup/minicom can be started by any user

Summary: net-dialup/minicom can be started by any user

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2007-05-28 14:59 UTC by Dmitry 'MAD' Artamonow
Modified:	2007-06-24 23:39 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dmitry 'MAD' Artamonow 2007-05-28 14:59:04 UTC

minicom in it's default install can be started by any user and have access to serial ports, even if that user not in uucp group and doesn't have rights to read/write to /dev/tty[SomePort] normally. 

That's because of setgid bit is set and execute bit for everyone is set also:

sunflower linux # ls -l /usr/bin/minicom 
-rwxr-s--x 1 root uucp 163880 May 28 14:29 /usr/bin/minicom

That's VERY BAD, because evil user can run minicom and mess up with some other computer, connected via serial console, for example.

The way to fix:
chmod 2750 /usr/bin/minicom 

Seems this bug was introduced by improper fixing of bug #108088

Reproducible: Always

Steps to Reproduce:
1. emerge minicom
2. useradd user
3. su - user
4. minicom

Comment 1 Alin Năstac (RETIRED) gentoo-dev

2007-05-28 15:39:53 UTC

Since when /dev/ttyS* have uucp group? When bug #108088 was fixed, serial ports were created with root:tty.

Security team, please advise.

Comment 2 Alin Năstac (RETIRED) gentoo-dev

2007-05-28 16:31:21 UTC

@udev maintainers : Current udev version create serial port devices with uucp group. Is it going to be like this from now on?
If so, I must remove sgid bit from minicom and install it with root group.

Comment 3 Jakub Moc (RETIRED) gentoo-dev

2007-05-28 17:39:17 UTC

(In reply to comment #2)
> @udev maintainers : Current udev version create serial port devices with uucp
> group. Is it going to be like this from now on?

Yes, see Bug 108249

Comment 4 Alin Năstac (RETIRED) gentoo-dev

2007-05-28 18:41:13 UTC

Fixed in minicom-2.2-r1. The only change I made was to remove the following code from src_install:
        # minicom must be uucp sgided is needed for being able to
        # lock serial ports when run as simple user
        fowners root:uucp /usr/bin/minicom
        fperms g+s /usr/bin/minicom


@arch teams: Please mark it stable.

@security team: Since minicom is a widely used terminal, I highly recommend you to issue a GLSA for it.

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2007-05-29 02:10:41 UTC

Stable for HPPA.

Comment 6 Emanuele Gentili 2007-05-29 03:27:04 UTC

Stable for x86.

Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev

2007-05-29 06:01:17 UTC

ppc stable

Comment 8 Christian Faulhammer (RETIRED) gentoo-dev

2007-05-29 06:05:16 UTC

(In reply to comment #6)
> Stable for x86.

 I don't know what you are intending, but please leave the CC field alone when you don't know what you are doing.

Comment 9 Brent Baude (RETIRED) gentoo-dev

2007-05-29 13:52:34 UTC

ppc64 stable

Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev

2007-05-29 19:35:42 UTC

sparc stable.

Comment 11 Peter Weller (RETIRED) gentoo-dev

2007-05-30 20:49:46 UTC

Stable on amd64.
@PPC64 - minicom-2.2-r1 still seems to be ~ppc64 - is this your intention? (Sorry for the bugspam if this was in fact your intention...)

Comment 12 Christian Faulhammer (RETIRED) gentoo-dev

2007-05-31 11:04:51 UTC

x86 stable

Comment 13 Raúl Porcel (RETIRED) gentoo-dev

2007-06-01 15:35:25 UTC

ia64 stable

Comment 14 Raúl Porcel (RETIRED) gentoo-dev

2007-06-08 10:07:27 UTC

alpha stable

Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-06-09 17:30:10 UTC

voting NO.

Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-06-09 19:23:04 UTC

I tend to vote NO as well.

Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-06-09 20:48:37 UTC

no too. Closing. Feel free to reopen if you disagree

Comment 18 Joshua Kinard gentoo-dev

2007-06-10 04:52:45 UTC

mips stable.