[Bug 552095] New: The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user
http://bugzilla.novell.com/show_bug.cgi?id=552095 Summary: The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user Classification: openSUSE Product: openSUSE 11.2 Version: RC 2 Platform: All OS/Version: openSUSE 11.2 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: nice@titanic.nyme.hu QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; hu-HU; rv:1.9.1.3) Gecko/20090909 SUSE/3.5.3-3.2 Firefox/3.5.3 In earlier openSUSE releases the owner group of both /dev/ttyS* files and the directory /var/lock, was the uucp group. In 11.2 the group of /dev/ttyS* devices is dialout, but the owner group of /var/lock is root. This means that despite gaining access to serial ports by adding my user to to dialout group, I won't have write access to the directory /var/lock, which means that minicom won't be able to create a lock file, so I have to run it as root (or reconfigure minicom or modify the permissions of /var/lock). I assume /var/lock's owner group should be dialot, or - maybe an even better solution - should have a POSIX ACL, permitting the dialout group to create files in it, for example: setfacl -b /var/lock ; chown root:root /var/lock ; chmod 1775 /var/lock ; setfacl -m g:dialout:rwx /var/lock Please fix it if it's not a security hole. Reproducible: Always Steps to Reproduce: 1. Install openSUSE 11.2 on a machine with serial (a) port(s). 2. Add your user to the dialout group 3. Relogin 4. Start minicom Actual Results: It won't be able to start because it's unable to create a lock file. Expected Results: It should be able to start. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=552095#c
shuang qiu
http://bugzilla.novell.com/show_bug.cgi?id=552095#c1
Ruediger Oertel
http://bugzilla.novell.com/show_bug.cgi?id=552095#c2
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=552095#c3
--- Comment #3 from Kay Sievers
Why was ttyS0 changed from uucp to dialout?
That's what most distros do these days, and a result of the synchronization of udev rules across most major Linux systems. uucp is no longer used in any default setup. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=552095#c4
Kay Sievers
http://bugzilla.novell.com/show_bug.cgi?id=552095
http://bugzilla.novell.com/show_bug.cgi?id=552095#c5
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=552095
http://bugzilla.novell.com/show_bug.cgi?id=552095#c6
Kay Sievers
http://bugzilla.novell.com/show_bug.cgi?id=552095
http://bugzilla.novell.com/show_bug.cgi?id=552095#c7
Roman Drahtmueller
http://bugzilla.novell.com/show_bug.cgi?id=552095
http://bugzilla.novell.com/show_bug.cgi?id=552095#c8
Kay Sievers
Reopening. The argument that something is not going to change because a coordination across distributions would be unlikely to happen does not fix our problem.
Our problem is that /var/lock is not writable by any user, it's owned by root:root.
There are two problems: /var/lock and /dev/ttyS* ownerships, and they are linked. group dialout on a serial device is too risky, as it invites malware dialler.
I can not see any specific risk associated with it. Other stuff like ISDN uses "dialout" for the devices for ages.
This bug is about changing settings silently that have proven to provide a reasonable setup. Why can't this be addressed?
This bug is about /var/lock not writable by any user. Address it by introducing a group "lock" for /var/lock (Fedora), or make /var/lock world writable like /var/tmp (Debian/Ubuntu), that's the fix which is needed. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=552095
http://bugzilla.novell.com/show_bug.cgi?id=552095#c9
--- Comment #9 from Tamás Németh
a group "lock" for /var/lock (Fedora), or make /var/lock world writable like /var/tmp (Debian/Ubuntu), that's the fix which is needed.
It was writeable by (and owned by) the group uucp up to openSUSE 11.1, and in addition it had the sticky bit like /tmp. What if you provide a similar solution with the group dialout instead of uucp (probably using posix acls)? Isn't it a security threat? I'm not a security expert. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=552095
http://bugzilla.novell.com/show_bug.cgi?id=552095#c10
--- Comment #10 from Kay Sievers
http://bugzilla.novell.com/show_bug.cgi?id=552095
http://bugzilla.novell.com/show_bug.cgi?id=552095#c11
Adam Jurkiewicz
http://bugzilla.novell.com/show_bug.cgi?id=552095
http://bugzilla.novell.com/show_bug.cgi?id=552095#c
yang xiaoyu
http://bugzilla.novell.com/show_bug.cgi?id=552095
http://bugzilla.novell.com/show_bug.cgi?id=552095#c12
--- Comment #12 from Brandon Philips
http://bugzilla.novell.com/show_bug.cgi?id=552095
http://bugzilla.novell.com/show_bug.cgi?id=552095#c13
--- Comment #13 from yang xiaoyu
Why did this get assigned to me?
If someone is asking for my opinion +t for /var/lock makes the most sense to me.
sorry,I will reassign it. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=552095
http://bugzilla.novell.com/show_bug.cgi?id=552095#c
yang xiaoyu
http://bugzilla.novell.com/show_bug.cgi?id=552095
http://bugzilla.novell.com/show_bug.cgi?id=552095#c14
Michal Marek
http://bugzilla.novell.com/show_bug.cgi?id=552095
http://bugzilla.novell.com/show_bug.cgi?id=552095#c15
--- Comment #15 from Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=552095
http://bugzilla.novell.com/show_bug.cgi?id=552095#c16
Ruediger Oertel
http://bugzilla.novell.com/show_bug.cgi?id=552095
http://bugzilla.novell.com/show_bug.cgi?id=552095#c17
Ludwig Nussel
participants (1)
-
bugzilla_noreply@novell.com