From owner-freebsd-stable@FreeBSD.ORG Mon Oct 13 21:23:04 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91E91106568F for ; Mon, 13 Oct 2008 21:23:04 +0000 (UTC) (envelope-from unixmania@gmail.com) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.185]) by mx1.freebsd.org (Postfix) with ESMTP id 1CF6F8FC1C for ; Mon, 13 Oct 2008 21:23:03 +0000 (UTC) (envelope-from unixmania@gmail.com) Received: by gv-out-0910.google.com with SMTP id n8so394542gve.39 for ; Mon, 13 Oct 2008 14:23:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=afVk/esNREZrL0yKW/Y8I+yYGuSH3+DIQVkVXTjjdCk=; b=PO+sdj54FuhyIb5MhhPKrVHV3ltpyM1ypUBdvoM+MRumqpbImXv++pndgwni+6GJj3 8B752gApgYqtJQ+DquVkn6sXYe1tib5MWlKdq9HjlsqGIetsDXlQYNNULexrDBsqeieQ VBtqMyYDSEtu8crEJkbqKGp/1xQTpwNTl5hC8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=Bejnv43z+9ZFdvklAtFo6Fjo8UWx1aknPtwcJtGAc/2MQFkrEaaV3kYznI30cJl7+v w3HcHrdSrcymvdrbi2ek5ZgZfluKsIxV+bw5rIUzSJIzgZS3+9LPcTywfsSkezPSYi8/ 4m8n2e5lejmnImeBN0l6QkDOCcTCJln6VK2T8= Received: by 10.103.201.12 with SMTP id d12mr3940080muq.36.1223932981664; Mon, 13 Oct 2008 14:23:01 -0700 (PDT) Received: by 10.103.231.14 with HTTP; Mon, 13 Oct 2008 14:23:01 -0700 (PDT) Message-ID: Date: Mon, 13 Oct 2008 18:23:01 -0300 From: "Carlos A. M. dos Santos" To: "Edwin Groothuis" In-Reply-To: <20081013210520.GA71471@mavetju.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20080910203445.GA8561@mr-happy.com> <20081013052353.GA10013@icarus.home.lan> <20081013210520.GA71471@mavetju.org> Cc: Jeremy Chadwick , freebsd-stable@freebsd.org, Jeff Blank Subject: Re: can't see non-root writes to /dev/console X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Oct 2008 21:23:04 -0000 On Mon, Oct 13, 2008 at 6:05 PM, Edwin Groothuis wrote: > On Sun, Oct 12, 2008 at 10:23:53PM -0700, Jeremy Chadwick wrote: >> > The ioctl call fails (EPERM) because only superuser can use TIOCCONS, >> > regardless the ownership of the device. Using xterm with the "-C" >> > argument works because xterm is installed with the setuid flag bit on. >> > So the solution is "chmod +us xconsole". >> >> Can someone security audit this program before blindly setuid-root'ing >> it? > > Isn't xconsole not just the same values as /var/log/messages ? > > So information-leaking-wise it isn't a huge deal. Only the program > itself is now the unknown. > > Edwin > -- > Edwin Groothuis Website: http://www.mavetju.org/ > edwin@mavetju.org Weblog: http://www.mavetju.org/weblog/ The OpenBSD folks solved the permission issue along time ago(*) by means of a privilege separation feature. Take a look at http://www.openbsd.org/cgi-bin/cvsweb/xenocara/app/xconsole/ I will see if is possible to update the xconsole port in order to do the same. Is there any standard privilege separation framework on FreeBSD? (*) http://openbsd.monkey.org/tech/200302/msg00064.html -- cd /usr/ports/sysutils/life make clean