From owner-freebsd-questions Tue Dec 10 06:26:50 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id GAA03909 for questions-outgoing; Tue, 10 Dec 1996 06:26:50 -0800 (PST) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id GAA03899 for ; Tue, 10 Dec 1996 06:26:48 -0800 (PST) Received: from Campino.Informatik.RWTH-Aachen.DE (campino.Informatik.RWTH-Aachen.DE [137.226.116.240]) by who.cdrom.com (8.7.5/8.6.11) with ESMTP id GAA13482 for ; Tue, 10 Dec 1996 06:26:42 -0800 (PST) Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.rwth-aachen.de [137.226.31.2]) by Campino.Informatik.RWTH-Aachen.DE (RBI-Z-5/8.6.12) with ESMTP id PAA10164; Tue, 10 Dec 1996 15:22:53 +0100 (MET) Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de (8.8.3/8.6.9) id PAA15354; Tue, 10 Dec 1996 15:35:13 +0100 (MET) From: Christoph Kukulies Message-Id: <199612101435.PAA15354@gilberto.physik.rwth-aachen.de> Subject: Re: xconsole - /dev/console In-Reply-To: <199612101238.NAA06444@ghost.mep.ruhr-uni-bochum.de> from Robert Eckardt at "Dec 10, 96 01:38:52 pm" To: roberte@mep.ruhr-uni-bochum.de (Robert Eckardt) Date: Tue, 10 Dec 1996 15:35:12 +0100 (MET) Cc: kuku@gilberto.physik.rwth-aachen.de, dwhite@resnet.uoregon.edu, freebsd-questions@freefall.freebsd.org Reply-To: Christoph Kukulies X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > > On Mon, 9 Dec 1996, Christoph Kukulies wrote: > > > > > > > Is there a way to allow a normal user to use xconsole or would > > > > opening /dev/console to the world compromise security? > > > > > > ? People have to run startx or log into a xdm-controlled terminal, so > > > they're authenticated. > > > > It's not that I want to inhibit users seeing the console > > messages, it was just the point if changing /dev/console's permissions > > could compromise security anyhow. > > I've seen /dev/console having crw--w--w- on a Linux system. > > This is usually done by the Give/TakeConsole scripts of xdm. > TakeConsole: > chmod 622 /dev/console <<<--------- > chown root /dev/console > GiveConsole: > # By convention, both xconsole and xterm -C check that the > # console is owned by the invoking user and is readable before attaching > # the console output. This way a random user can invoke xterm -C without > # causing serious grief. > # > chown $USER /dev/console > > This way only the user at the console logging in via xdm can use > /dev/console, but all can _send_messages_ there. Thus, console isn't > opened to "the world" this way. This may work for the xdm login mechanism but it doesn't work for startx. I don't use xdm for variuous reasons. First off I don't have a des xdm - I have des passwords but I havn't yet had time to compile a DES xdm. Secondly, xdm always was prone to memory leaks or was causing the Xserver to leak memory. I don't know how it is presently but that's why I'm always afraid using xdm. > I don't know whether this has serious implications on security (like world > readable disk devices :-) > > Robert > > > --Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de > > -- > Robert Eckardt \\ FreeBSD -- solutions for a large universe.(tm) > RobertE@MEP.Ruhr-Uni-Bochum.de \\ What do you want to boot tomorrow ?(tm) > http://WWW.MEP.Ruhr-Uni-Bochum.de/~roberte > For PGP-key finger roberte@gluon.MEP.Ruhr-Uni-Bochum.de > --Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de