For mgetty users with non-trusted shell logins

l41484@alfa.ist.utl.pt (l41484@alfa.ist.utl.pt)
Fri, 29 Jan 1999 08:55:32 +0100
Messages sorted by:[ date ][ thread ][ subject ][ author ]
On Thu, 28 Jan 1999, Gert Doering wrote:

> To: Tiago Pascoal <umm@cavorka.umm.home>,
                    ^^^^^^^^^^^^^^^^^^^^^^^
RATS. How is this happening? Can you please send me all the headers of the
original message i sent? This is driving me nuts. I have to figure out, if
it's an MUA or MTA bug.

> On Thu, Jan 28, 1999 at 12:32:42PM +0100, l41484@alfa.ist.utl.pt wrote:
> > perhaps. Speaking of which, i noticed the tty's when unused (the ones that
> > will be used for the console for example) have mode 622.  Why not 600 ?
> > (or 660 since they are root:root owned)
> 
> Possibly so that things like "wall" works all the time?  Hard to say,
> I don't see any real reason for it...

hummm, i would see no need (or use) for wall to work on a tty which has no
users. :-)

> [..]
> > > However, it looks like many people are using Linux nowadays in this
> > > fashion, and after all, if you run after all the buffer overflow
> > > problems which may or not be exploited, why not go for the
> > > more fondamental problems too ?
> > 
> > In my opinion, _all_ security problems should be solved. The minor and the
> > majors. 
> 
> Yep.  As long as it doesn't break real world stuff - if a system is
> absolutely secure, it's also absolutely unusable.

Off course. U have to make some trade-offs.

> > Off course, problems like, you can exploit this, if condition A &
> > B & .... Z, are met and they have a _very low_ probability of happening, i
> > would give them a lower priority. :-)
> > 
> > Maybe you should give it a shot on Linux's security audit ML?
> > 
> > (security audit <security-audit@ferret.lmh.ox.ac.uk>)
> 
> Interesting idea.  Actually, Linux isn't our main concern - I'm pretty
> confident Tytso will add an appropriate "paranoia bit" to the serial
> driver - but CommercialUnix in its various flavours is...

Well for most of them, i guess then must have a CERT advisory down their
throat. :-)

> Which brings me to something :) - I will start hacking on FAS again,
> because as it isn't actively maintained anymore, there is nobody who
> will add this SecureTty bit to it now...

FAS?? (the part of my brain, that deals with acronyms is a bit overloaded
:-))

--
Tiago Pascoal  (l41484@alfa.ist.utl.pt)               FAX : +351-1-7273394
Politicamente incorrecto, e membro (nao muito) proeminente da geracao rasca.