minicom in it's default install can be started by any user and have access to serial ports, even if that user not in uucp group and doesn't have rights to read/write to /dev/tty[SomePort] normally. That's because of setgid bit is set and execute bit for everyone is set also: sunflower linux # ls -l /usr/bin/minicom -rwxr-s--x 1 root uucp 163880 May 28 14:29 /usr/bin/minicom That's VERY BAD, because evil user can run minicom and mess up with some other computer, connected via serial console, for example. The way to fix: chmod 2750 /usr/bin/minicom Seems this bug was introduced by improper fixing of bug #108088 Reproducible: Always Steps to Reproduce: 1. emerge minicom 2. useradd user 3. su - user 4. minicom
Since when /dev/ttyS* have uucp group? When bug #108088 was fixed, serial ports were created with root:tty. Security team, please advise.
@udev maintainers : Current udev version create serial port devices with uucp group. Is it going to be like this from now on? If so, I must remove sgid bit from minicom and install it with root group.
(In reply to comment #2) > @udev maintainers : Current udev version create serial port devices with uucp > group. Is it going to be like this from now on? Yes, see Bug 108249
Fixed in minicom-2.2-r1. The only change I made was to remove the following code from src_install: # minicom must be uucp sgided is needed for being able to # lock serial ports when run as simple user fowners root:uucp /usr/bin/minicom fperms g+s /usr/bin/minicom @arch teams: Please mark it stable. @security team: Since minicom is a widely used terminal, I highly recommend you to issue a GLSA for it.
Stable for HPPA.
Stable for x86.
ppc stable
(In reply to comment #6) > Stable for x86. I don't know what you are intending, but please leave the CC field alone when you don't know what you are doing.
ppc64 stable
sparc stable.
Stable on amd64. @PPC64 - minicom-2.2-r1 still seems to be ~ppc64 - is this your intention? (Sorry for the bugspam if this was in fact your intention...)
x86 stable
ia64 stable
alpha stable
voting NO.
I tend to vote NO as well.
no too. Closing. Feel free to reopen if you disagree
mips stable.