[Bug 552095] New: The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

bugzilla_noreply＠novell.com

3 Nov 2009 3 Nov '09

09:20

http://bugzilla.novell.com/show_bug.cgi?id=552095 Summary: The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user Classification: openSUSE Product: openSUSE 11.2 Version: RC 2 Platform: All OS/Version: openSUSE 11.2 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: nice@titanic.nyme.hu QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; hu-HU; rv:1.9.1.3) Gecko/20090909 SUSE/3.5.3-3.2 Firefox/3.5.3 In earlier openSUSE releases the owner group of both /dev/ttyS* files and the directory /var/lock, was the uucp group. In 11.2 the group of /dev/ttyS* devices is dialout, but the owner group of /var/lock is root. This means that despite gaining access to serial ports by adding my user to to dialout group, I won't have write access to the directory /var/lock, which means that minicom won't be able to create a lock file, so I have to run it as root (or reconfigure minicom or modify the permissions of /var/lock). I assume /var/lock's owner group should be dialot, or - maybe an even better solution - should have a POSIX ACL, permitting the dialout group to create files in it, for example: setfacl -b /var/lock ; chown root:root /var/lock ; chmod 1775 /var/lock ; setfacl -m g:dialout:rwx /var/lock Please fix it if it's not a security hole. Reproducible: Always Steps to Reproduce: 1. Install openSUSE 11.2 on a machine with serial (a) port(s). 2. Add your user to the dialout group 3. Relogin 4. Start minicom Actual Results: It won't be able to start because it's unable to create a lock file. Expected Results: It should be able to start. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Show replies by date

bugzilla_noreply＠novell.com

17 Nov 17 Nov

06:17

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095#c shuang qiu changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sqiu@novell.com AssignedTo|bnc-team-screening@forge.pr |ro@novell.com |ovo.novell.com | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

18 Nov 18 Nov

01:10

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095#c1 Ruediger Oertel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |security-team@suse.de --- Comment #1 from Ruediger Oertel 2009-11-18 01:10:51 UTC --- any comment from sec team on this ? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

07:51

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095#c2 Ludwig Nussel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |ro@novell.com, | |security-team@suse.de Info Provider|security-team@suse.de | AssignedTo|ro@novell.com |kasievers@novell.com --- Comment #2 from Ludwig Nussel 2009-11-18 07:51:15 UTC --- Why was ttyS0 changed from uucp to dialout? The dialout group actually was never used to access to serial ports on SUSE. It merely allowed to connect to smpppd to trigger pre-defined connections. Access to /var/lock likely has security implications as I seriously doubt that applications writing there are constructed to avoid symlink or tmp race style attacks. I'd rather change have the group of ttyS0 changed to root in order to avoid implicit suggestion to put users in any group. Wrt /var/lock there is no default solution. Resmgr solved it by having a service take care of the lock files but resmgr is no more. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12:41

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095#c3 --- Comment #3 from Kay Sievers 2009-11-18 12:41:56 UTC --- (In reply to comment #2)

...

Why was ttyS0 changed from uucp to dialout?

That's what most distros do these days, and a result of the synchronization of udev rules across most major Linux systems. uucp is no longer used in any default setup. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

16:26

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095#c4 Kay Sievers changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|kasievers@novell.com |lnussel@novell.com --- Comment #4 from Kay Sievers 2009-11-18 16:26:01 UTC --- Fedora has /var/lock/ owned by the group "lock". Debian/Ubuntu has is owned by the group "root" and world writable and +t. Please decide, if we want to change anything here by default. Udev (dialout) can not change without coordination across all synchronized distros, which is not likely to happen. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

19 Nov 19 Nov

08:17

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095 http://bugzilla.novell.com/show_bug.cgi?id=552095#c5 Ludwig Nussel changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|lnussel@novell.com |kasievers@novell.com --- Comment #5 from Ludwig Nussel 2009-11-19 08:17:57 UTC --- /var/lock is not a problem as long as it's not writeable by default. We can't use group dialout for ttyS* access on SUSE though. You can't just ignore the historical background. It's used for a different purpose here. Users were in that group by default previously. Now after updating to 11.2 they suddenly have write access to serial ports! So a sed s/dialout/root/ rules.d/* in udev's .spec is what's needed. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

20 Nov 20 Nov

00:03

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095 http://bugzilla.novell.com/show_bug.cgi?id=552095#c6 Kay Sievers changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |WONTFIX --- Comment #6 from Kay Sievers 2009-11-20 00:03:23 UTC --- No sorry, that is not going to change. The synchronization across distros is far more important than any possible historical access rights to legacy ports. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

25 Nov 25 Nov

13:28

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095 http://bugzilla.novell.com/show_bug.cgi?id=552095#c7 Roman Drahtmueller changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |REOPENED CC| |draht@novell.com Resolution|WONTFIX | --- Comment #7 from Roman Drahtmueller 2009-11-25 13:28:02 UTC --- Reopening. The argument that something is not going to change because a coordination across distributions would be unlikely to happen does not fix our problem. There are two problems: /var/lock and /dev/ttyS* ownerships, and they are linked. group dialout on a serial device is too risky, as it invites malware dialler. This bug is about changing settings silently that have proven to provide a reasonable setup. Why can't this be addressed? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

26 Nov 26 Nov

10:06

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095 http://bugzilla.novell.com/show_bug.cgi?id=552095#c8 Kay Sievers changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|kasievers@novell.com |bnc-team-screening@forge.pr | |ovo.novell.com --- Comment #8 from Kay Sievers 2009-11-26 10:06:25 UTC --- (In reply to comment #7)

...

Reopening. The argument that something is not going to change because a coordination across distributions would be unlikely to happen does not fix our problem.

Our problem is that /var/lock is not writable by any user, it's owned by root:root.

...

There are two problems: /var/lock and /dev/ttyS* ownerships, and they are linked. group dialout on a serial device is too risky, as it invites malware dialler.

I can not see any specific risk associated with it. Other stuff like ISDN uses "dialout" for the devices for ages.

...

This bug is about changing settings silently that have proven to provide a reasonable setup. Why can't this be addressed?

This bug is about /var/lock not writable by any user. Address it by introducing a group "lock" for /var/lock (Fedora), or make /var/lock world writable like /var/tmp (Debian/Ubuntu), that's the fix which is needed. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:47

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095 http://bugzilla.novell.com/show_bug.cgi?id=552095#c9 --- Comment #9 from Tamás Németh 2009-11-26 10:47:33 UTC --- (In reply to comment #8)

...

a group "lock" for /var/lock (Fedora), or make /var/lock world writable like /var/tmp (Debian/Ubuntu), that's the fix which is needed.

It was writeable by (and owned by) the group uucp up to openSUSE 11.1, and in addition it had the sticky bit like /tmp. What if you provide a similar solution with the group dialout instead of uucp (probably using posix acls)? Isn't it a security threat? I'm not a security expert. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11:08

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095 http://bugzilla.novell.com/show_bug.cgi?id=552095#c10 --- Comment #10 from Kay Sievers 2009-11-26 11:08:01 UTC --- Hmm, /var/lock is not really associated with serial-like ports, therefore, neither uucp or dialout should really be the primary owner. One of the two options in comment#4 is the better choice, I guess. Btw, the group "dialout" for serial-like devices will be standardized and become part of LSB, now that all distros synchronized the device naming and permissions. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

30 Nov 30 Nov

16:44

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095 http://bugzilla.novell.com/show_bug.cgi?id=552095#c11 Adam Jurkiewicz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |a.jurkiewicz@abix.info.pl --- Comment #11 from Adam Jurkiewicz 2009-11-30 16:44:46 UTC --- Group owner uucp of /var/lock was good, why to change it ? Btw, some applications, which uses ttyS, make locks in /var/lock, for example apps for Point of Sale, which use fiscal priinter with RS-232C. Adam -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

30 Dec 30 Dec

05:10

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095 http://bugzilla.novell.com/show_bug.cgi?id=552095#c yang xiaoyu changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xyyang@novell.com AssignedTo|bnc-team-screening@forge.pr |bphilips@novell.com |ovo.novell.com | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

4 Jan 4 Jan

23:37

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095 http://bugzilla.novell.com/show_bug.cgi?id=552095#c12 --- Comment #12 from Brandon Philips 2010-01-04 23:37:48 UTC --- Why did this get assigned to me? If someone is asking for my opinion +t for /var/lock makes the most sense to me. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

5 Jan 5 Jan

02:06

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095 http://bugzilla.novell.com/show_bug.cgi?id=552095#c13 --- Comment #13 from yang xiaoyu 2010-01-05 02:06:06 UTC --- (In reply to comment #12)

...

Why did this get assigned to me?

If someone is asking for my opinion +t for /var/lock makes the most sense to me.

sorry,I will reassign it. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

02:07

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095 http://bugzilla.novell.com/show_bug.cgi?id=552095#c yang xiaoyu changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bphilips@novell.com |mmarek@novell.com -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:11

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095 http://bugzilla.novell.com/show_bug.cgi?id=552095#c14 Michal Marek changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|mmarek@novell.com |ro@novell.com --- Comment #14 from Michal Marek 2010-01-05 10:11:23 UTC --- If I understand it correctly, the problem is with /var/lock (filesystem) and /dev/ttyS* (udev) permissions, nothing I can do about. Reassigning to filesystem maintainer. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

7 Jan 7 Jan

10:02

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095 http://bugzilla.novell.com/show_bug.cgi?id=552095#c15 --- Comment #15 from Ludwig Nussel 2010-01-07 11:02:19 CET --- The problem is that udev changed group ownership of ttyS* without checking the actual implications for openSUSE. For 11.2 the fix is IMO to change udev back to use 'uucp'. We can't just change /var/lock to an arbitrary different group or world writable there. For the future (ie Factory) I plan to adopt the lockdev as used by Debian&Fedora. I've already contacted the maintainers in both distros since sources diverged over time as upstream was dead. Over the christmas holidays Roger Leigh of Debian now tried to establish a new upstream with mailinglist and git repo. https://features.opensuse.org/308360 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

14 Feb 14 Feb

22:54

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095 http://bugzilla.novell.com/show_bug.cgi?id=552095#c16 Ruediger Oertel changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|ro@novell.com |lnussel@novell.com --- Comment #16 from Ruediger Oertel 2010-02-14 22:53:57 UTC --- ludwig: I'm pushing this over to you then ... -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

30 Apr 30 Apr

12:47

New subject: [Bug 552095] The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

http://bugzilla.novell.com/show_bug.cgi?id=552095 http://bugzilla.novell.com/show_bug.cgi?id=552095#c17 Ludwig Nussel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #17 from Ludwig Nussel 2010-04-30 14:47:21 CEST --- fixed for 11.3 by introducing lockdev. sr#39028 filed to add lockdev support to minicom -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

5117

Age (days ago)

5295

Last active (days ago)

List overview

Download

20 comments

1 participants

participants (1)

bugzilla_noreply＠novell.com

[Bug 552095] New: The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user

tags

participants (1)