Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 13 Oct 2008 18:23:01 -0300
From:      "Carlos A. M. dos Santos" <unixmania@gmail.com>
To:        "Edwin Groothuis" <edwin@mavetju.org>
Cc:        Jeremy Chadwick <koitsu@freebsd.org>, freebsd-stable@freebsd.org, Jeff Blank <jb000002@mr-happy.com>
Subject:   Re: can't see non-root writes to /dev/console
Message-ID:  <e71790db0810131423u5c19bcadi5dd8f6b6fcff2597@mail.gmail.com>
In-Reply-To: <20081013210520.GA71471@mavetju.org>
References:  <20080910203445.GA8561@mr-happy.com> <e71790db0809101854k1b9d75dck2efb3fee8ee67826@mail.gmail.com> <e71790db0810122216n54593f5dn577b148496e1e2ee@mail.gmail.com> <20081013052353.GA10013@icarus.home.lan> <20081013210520.GA71471@mavetju.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Oct 13, 2008 at 6:05 PM, Edwin Groothuis <edwin@mavetju.org> wrote:
> On Sun, Oct 12, 2008 at 10:23:53PM -0700, Jeremy Chadwick wrote:
>> > The ioctl call fails (EPERM) because only superuser can use TIOCCONS,
>> > regardless the ownership of the device. Using xterm with the "-C"
>> > argument works because xterm is installed with the setuid flag bit on.
>> > So the solution is "chmod +us  xconsole".
>>
>> Can someone security audit this program before blindly setuid-root'ing
>> it?
>
> Isn't xconsole not just the same values as /var/log/messages ?
>
> So information-leaking-wise it isn't a huge deal. Only the program
> itself is now the unknown.
>
> Edwin
> --
> Edwin Groothuis         Website: http://www.mavetju.org/
> edwin@mavetju.org       Weblog:  http://www.mavetju.org/weblog/

The OpenBSD folks solved the permission issue along time ago(*) by
means of a privilege separation feature. Take a look at

     http://www.openbsd.org/cgi-bin/cvsweb/xenocara/app/xconsole/

I will see if is possible to update the xconsole port in order to do
the same. Is there any standard privilege separation framework on
FreeBSD?

(*) http://openbsd.monkey.org/tech/200302/msg00064.html

-- 
cd /usr/ports/sysutils/life
make clean

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e71790db0810131423u5c19bcadi5dd8f6b6fcff2597>