Re: RH 6.1 / 6.2 minicom vulnerability

[Sylvain Robitaille <syl () ALCOR CONCORDIA CA>]

Ben Lull wrote:

> ... Yep Slackware (7.x) too using minicom 1.82 and 1.82.1

Just for the record, I checked with Slackware-4, which also has
minicom-1.82, (but I've already changed mine to be setgid "modem" so it
has only permission to write to the modem device).

One thing Ben's example didn't show is confirmation that this problem
follows symlinks on his system, and creates the file accoring to the
umask, which I've found to be the case on mine:

  : charlotte[syl] ~; ln -s /tmp/foo .
  : charlotte[syl] ~; ( umask 2 ; minicom -C foo )
  minicom: cannot open /dev/ttyS1: Permission denied
  : charlotte[syl] ~; ls -l /tmp/foo
  -rw-rw-r--   1 syl      modem           0 Aug 29 20:44 /tmp/foo

Lessons learned:

- don't install UUCP commands unless you actually need them, (and most
  people really don't anymore. If you install UUCP commands, *know* what
  other programs will run with the same privileges.
- go through your system after installation and reduce permissions to
  only what's required.  There's nothing on my system that would be
  writable to group modem, except of course the modem device.

--
----------------------------------------------------------------------
Sylvain Robitaille                              syl () alcor concordia ca

Systems analyst                                   Concordia University
Instructional & Information Technology        Montreal, Quebec, Canada
----------------------------------------------------------------------