Re: Securax Advisory 13

[Jarno Huuskonen <jhuuskon () MESSI UKU FI>]

On Wed, Jan 03, teleh0r wrote:
> The problem is the way that the telnet daemon assigns a new user
> a terminal - when a user is telling the telnetd who he is, and
> what his password is, his terminal will be awaiting in /dev/pts/
> and writable by anyone. As soon as he has logged in, it will not.

It's the /bin/login (from util-linux package) that sets the /dev/pts/?
to mode 0622. (I think that when telnetd creates the tty in /dev/pts it's
created with gid=5,mode=0620 (or how you have mounted /dev/pts)).

Here's the code from util-linux-2.10f/login-utils/login.c

  if((chown(ttyn, 0, 0) == 0) && (chmod(ttyn, 0622) == 0)) {
      tcsetattr(0,TCSAFLUSH,&ttt);
      signal(SIGHUP, SIG_IGN); /* so vhangup() wont kill us */
      vhangup();
      signal(SIGHUP, SIG_DFL);
  }

Can somebody explain why on earth the tty mode is set to 0622 during
authentication (instead of 0600 or something similar) ?
What's going to break if I patch the chmod call to 0600 (at least telnetd
seems to work) ?

-Jarno

PS. At least AIX 4.3.3 seems to set the /dev/pts/? to:
    c---------   1 root     system    28,  3 Jan 03 23:06 3
    during telnet auth.

--
Jarno Huuskonen - System Administrator   |  Jarno.Huuskonen () uku fi
University of Kuopio - Computer Centre   |  Work:   +358 17 162822
PO BOX 1627, 70211 Kuopio, Finland       |  Mobile: +358 40 5388169