On Fri, Jun 11, 1999 at 11:29:42AM -0600, Scott Wunsch wrote: > > This is not sufficient when using rxvt and apparently several other > > xterm-a-likes. By default rxvt overides the gid with the user's gid > > and changes the permissions to 622, even if the permissions specified > > in fstab are more restrictive than 622. The solution with rxvt is to > > pass --enable-ttygid to the configure script. > > I've been playing with this, and --enable-ttygid isn't enough either. It looks > like rxvt has to bee suid root in order to set the gid on the tty. Mortals > can't do it: > > [scott@pytheas] ~$ chgrp tty /dev/pts/1 > chgrp: you are not a member of group `tty': Operation not permitted > > > So which one is the bigger security risk? Suid root xterms or world-writable > pseudottys? Sorry to respond a few days late, but it just occurred to me what you are missing here. My rxvt is not suid or sgid, because /dev/pts is mounted with tty as the default group, which was mentioned earlier as being part of the solution: none /dev/pts devpts gid=5,mode=620 0 0 On my system gid 5 is tty. So, if you do that and use the --enable-ttygid switch when you build rxvt, you have no world writable pseudottys and rxvt has no special privileges. Sounds to me like that is as good as it gets. Brian
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:49:18 PDT