From owner-freebsd-questions Tue Dec 10 05:35:47 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id FAA00718 for questions-outgoing; Tue, 10 Dec 1996 05:35:47 -0800 (PST) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id FAA00695 for ; Tue, 10 Dec 1996 05:35:44 -0800 (PST) Received: from ghost.mep.ruhr-uni-bochum.de (ghost.mep.ruhr-uni-bochum.de [134.147.6.16]) by who.cdrom.com (8.7.5/8.6.11) with ESMTP id EAA13313 for ; Tue, 10 Dec 1996 04:41:05 -0800 (PST) Received: (from roberte@localhost) by ghost.mep.ruhr-uni-bochum.de (8.7.5/8.7.3) id NAA06444; Tue, 10 Dec 1996 13:38:53 +0100 (MET) From: Robert Eckardt Message-Id: <199612101238.NAA06444@ghost.mep.ruhr-uni-bochum.de> Subject: Re: xconsole - /dev/console In-Reply-To: <199612100811.JAA13923@gilberto.physik.rwth-aachen.de> from Christoph Kukulies at "10. Dec. 96 9:11:21" To: kuku@gilberto.physik.RWTH-Aachen.DE Date: Tue, 10 Dec 1996 13:38:52 +0100 (MET) Cc: dwhite@resnet.uoregon.edu, kuku@gilberto.physik.RWTH-Aachen.DE, freebsd-questions@freefall.freebsd.org X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > On Mon, 9 Dec 1996, Christoph Kukulies wrote: > > > > > Is there a way to allow a normal user to use xconsole or would > > > opening /dev/console to the world compromise security? > > > > ? People have to run startx or log into a xdm-controlled terminal, so > > they're authenticated. > > It's not that I want to inhibit users seeing the console > messages, it was just the point if changing /dev/console's permissions > could compromise security anyhow. > I've seen /dev/console having crw--w--w- on a Linux system. This is usually done by the Give/TakeConsole scripts of xdm. TakeConsole: chmod 622 /dev/console <<<--------- chown root /dev/console GiveConsole: # By convention, both xconsole and xterm -C check that the # console is owned by the invoking user and is readable before attaching # the console output. This way a random user can invoke xterm -C without # causing serious grief. # chown $USER /dev/console This way only the user at the console logging in via xdm can use /dev/console, but all can _send_messages_ there. Thus, console isn't opened to "the world" this way. I don't know whether this has serious implications on security (like world readable disk devices :-) Robert > --Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de -- Robert Eckardt \\ FreeBSD -- solutions for a large universe.(tm) RobertE@MEP.Ruhr-Uni-Bochum.de \\ What do you want to boot tomorrow ?(tm) http://WWW.MEP.Ruhr-Uni-Bochum.de/~roberte For PGP-key finger roberte@gluon.MEP.Ruhr-Uni-Bochum.de