Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 17738 - sys-apps/baselayout: /var/lock permissions too tight for normal user serial port access, or unclear documentation
Summary: sys-apps/baselayout: /var/lock permissions too tight for normal user serial p...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Depends on:
Reported: 2003-03-17 23:16 UTC by Samuel Greenfeld
Modified: 2003-04-06 11:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Samuel Greenfeld 2003-03-17 23:16:09 UTC
The permissions for /var/lock directory on my gentoo 1.4 (pretty current)
installation are set too tightly for some applications to work properly as
non-root users.  The permissions by default are 0770 root/uucp.  

   This causes serial port accessing applications to fail, as most expect to
note a serial port is in use in /var/lock.  It seems that devfs is smart enough
to set the serial ports to permissions I can use them with as a non-root user
upon console login.  But since most serial port utilizing apps expect to have
access to /var/lock , they get confused when they cannot secure a lockfile. 
Hence, they may refuse to open a serial port even when they otherwise can.

   Yes, if set to 1777 (like Slackware 8.1 has it), /var/lock becomes a
potential place for users to hide their files as another tmp file directory. 
But assigning users to group uucp is an odd solution too, and one I think
actually is unsafe if you do use uucp. 

   The alternate solution: Make all serial-port utilizing applications setgid
uucp.  For some reason I keep thinking Slackware and others actually abandoned
this approach for some reason.

Reproducible: Always
Steps to Reproduce:
1. Run an application (kde-base/kdepim's kandy, net-dialup/minicom, etc.) that
expects to access a serial port as a non-root users from the console (or an X
server started from the console).  "ls -l /dev/tts/*" should show you have
access to all serial ports on your computer.

2. The application may report it is unable to open the serial port.  If it is
smarter than that (like minicom is), it will tell you the lockfile cannot be
secured.  What the application is trying to do is write a /var/lock/LCK..#
lockfile to tell other applications to leave the serial port alone.  If a user
is not root or in group uucp, they presently cannot do so.
Actual Results:  
Applications fail to access serial port, because they cannot make a lock file to
secure said port.

Expected Results:  
Applications should have been able to write a lockfile to /var/lock to mark what
they are using so other applications leave the serial port in use alone.

   sys-apps/baselayout installed.

   It is not known if any other applications that are not serial port related
really want access to the /var/lock directory, but cannot secure it.
Comment 1 Martin Schlemmer (RETIRED) gentoo-dev 2003-03-18 13:32:18 UTC
My opinion is that this is a choice up to the administrator.  Default setup
is secure, but if the admin wants to open it ....
Comment 2 Martin Schlemmer (RETIRED) gentoo-dev 2003-04-06 11:20:14 UTC
Like I said ... its up to the admin.