Bugtraq mailing list archives
Re: Securax Advisory 13
From: Jarno Huuskonen <jhuuskon () MESSI UKU FI>
Date: Wed, 3 Jan 2001 23:10:44 +0200
On Wed, Jan 03, teleh0r wrote:
The problem is the way that the telnet daemon assigns a new user a terminal - when a user is telling the telnetd who he is, and what his password is, his terminal will be awaiting in /dev/pts/ and writable by anyone. As soon as he has logged in, it will not.
It's the /bin/login (from util-linux package) that sets the /dev/pts/? to mode 0622. (I think that when telnetd creates the tty in /dev/pts it's created with gid=5,mode=0620 (or how you have mounted /dev/pts)). Here's the code from util-linux-2.10f/login-utils/login.c if((chown(ttyn, 0, 0) == 0) && (chmod(ttyn, 0622) == 0)) { tcsetattr(0,TCSAFLUSH,&ttt); signal(SIGHUP, SIG_IGN); /* so vhangup() wont kill us */ vhangup(); signal(SIGHUP, SIG_DFL); } Can somebody explain why on earth the tty mode is set to 0622 during authentication (instead of 0600 or something similar) ? What's going to break if I patch the chmod call to 0600 (at least telnetd seems to work) ? -Jarno PS. At least AIX 4.3.3 seems to set the /dev/pts/? to: c--------- 1 root system 28, 3 Jan 03 23:06 3 during telnet auth. -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen () uku fi University of Kuopio - Computer Centre | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169
Current thread:
- Securax Advisory 13 incubus (Jan 02)
- Re: Securax Advisory 13 Fyodor (Jan 02)
- Re: Securax Advisory 13 Michal Zalewski (Jan 02)
- Re: Securax Advisory 13 Arturo Busleiman (Jan 03)
- <Possible follow-ups>
- Re: Securax Advisory 13 teleh0r (Jan 03)
- Re: Securax Advisory 13 Jarno Huuskonen (Jan 03)