Bugzilla – Bug 552095
The owner group of /var/lock is root instead of the owner group of /dev/ttyS* -> minicom cannot be run as normal user
Last modified: 2010-04-30 12:47:21 UTC
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; hu-HU; rv:1.9.1.3) Gecko/20090909 SUSE/3.5.3-3.2 Firefox/3.5.3 In earlier openSUSE releases the owner group of both /dev/ttyS* files and the directory /var/lock, was the uucp group. In 11.2 the group of /dev/ttyS* devices is dialout, but the owner group of /var/lock is root. This means that despite gaining access to serial ports by adding my user to to dialout group, I won't have write access to the directory /var/lock, which means that minicom won't be able to create a lock file, so I have to run it as root (or reconfigure minicom or modify the permissions of /var/lock). I assume /var/lock's owner group should be dialot, or - maybe an even better solution - should have a POSIX ACL, permitting the dialout group to create files in it, for example: setfacl -b /var/lock ; chown root:root /var/lock ; chmod 1775 /var/lock ; setfacl -m g:dialout:rwx /var/lock Please fix it if it's not a security hole. Reproducible: Always Steps to Reproduce: 1. Install openSUSE 11.2 on a machine with serial (a) port(s). 2. Add your user to the dialout group 3. Relogin 4. Start minicom Actual Results: It won't be able to start because it's unable to create a lock file. Expected Results: It should be able to start.
any comment from sec team on this ?
Why was ttyS0 changed from uucp to dialout? The dialout group actually was never used to access to serial ports on SUSE. It merely allowed to connect to smpppd to trigger pre-defined connections. Access to /var/lock likely has security implications as I seriously doubt that applications writing there are constructed to avoid symlink or tmp race style attacks. I'd rather change have the group of ttyS0 changed to root in order to avoid implicit suggestion to put users in any group. Wrt /var/lock there is no default solution. Resmgr solved it by having a service take care of the lock files but resmgr is no more.
(In reply to comment #2) > Why was ttyS0 changed from uucp to dialout? That's what most distros do these days, and a result of the synchronization of udev rules across most major Linux systems. uucp is no longer used in any default setup.
Fedora has /var/lock/ owned by the group "lock". Debian/Ubuntu has is owned by the group "root" and world writable and +t. Please decide, if we want to change anything here by default. Udev (dialout) can not change without coordination across all synchronized distros, which is not likely to happen.
/var/lock is not a problem as long as it's not writeable by default. We can't use group dialout for ttyS* access on SUSE though. You can't just ignore the historical background. It's used for a different purpose here. Users were in that group by default previously. Now after updating to 11.2 they suddenly have write access to serial ports! So a sed s/dialout/root/ rules.d/* in udev's .spec is what's needed.
No sorry, that is not going to change. The synchronization across distros is far more important than any possible historical access rights to legacy ports.
Reopening. The argument that something is not going to change because a coordination across distributions would be unlikely to happen does not fix our problem. There are two problems: /var/lock and /dev/ttyS* ownerships, and they are linked. group dialout on a serial device is too risky, as it invites malware dialler. This bug is about changing settings silently that have proven to provide a reasonable setup. Why can't this be addressed?
(In reply to comment #7) > Reopening. > The argument that something is not going to change because a coordination > across distributions would be unlikely to happen does not fix our problem. Our problem is that /var/lock is not writable by any user, it's owned by root:root. > There are two problems: /var/lock and /dev/ttyS* ownerships, and they are > linked. group dialout on a serial device is too risky, as it invites malware > dialler. I can not see any specific risk associated with it. Other stuff like ISDN uses "dialout" for the devices for ages. > This bug is about changing settings silently that have proven to provide a > reasonable setup. Why can't this be addressed? This bug is about /var/lock not writable by any user. Address it by introducing a group "lock" for /var/lock (Fedora), or make /var/lock world writable like /var/tmp (Debian/Ubuntu), that's the fix which is needed.
(In reply to comment #8) > a group "lock" for /var/lock (Fedora), or make /var/lock world writable like > /var/tmp (Debian/Ubuntu), that's the fix which is needed. It was writeable by (and owned by) the group uucp up to openSUSE 11.1, and in addition it had the sticky bit like /tmp. What if you provide a similar solution with the group dialout instead of uucp (probably using posix acls)? Isn't it a security threat? I'm not a security expert.
Hmm, /var/lock is not really associated with serial-like ports, therefore, neither uucp or dialout should really be the primary owner. One of the two options in comment#4 is the better choice, I guess. Btw, the group "dialout" for serial-like devices will be standardized and become part of LSB, now that all distros synchronized the device naming and permissions.
Group owner uucp of /var/lock was good, why to change it ? Btw, some applications, which uses ttyS, make locks in /var/lock, for example apps for Point of Sale, which use fiscal priinter with RS-232C. Adam
Why did this get assigned to me? If someone is asking for my opinion +t for /var/lock makes the most sense to me.
(In reply to comment #12) > Why did this get assigned to me? > > If someone is asking for my opinion +t for /var/lock makes the most sense to > me. sorry,I will reassign it.
If I understand it correctly, the problem is with /var/lock (filesystem) and /dev/ttyS* (udev) permissions, nothing I can do about. Reassigning to filesystem maintainer.
The problem is that udev changed group ownership of ttyS* without checking the actual implications for openSUSE. For 11.2 the fix is IMO to change udev back to use 'uucp'. We can't just change /var/lock to an arbitrary different group or world writable there. For the future (ie Factory) I plan to adopt the lockdev as used by Debian&Fedora. I've already contacted the maintainers in both distros since sources diverged over time as upstream was dead. Over the christmas holidays Roger Leigh of Debian now tried to establish a new upstream with mailinglist and git repo. https://features.opensuse.org/308360
ludwig: I'm pushing this over to you then ...
fixed for 11.3 by introducing lockdev. sr#39028 filed to add lockdev support to minicom