Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 100 - minicom is set GID uucp; security hole
Summary: minicom is set GID uucp; security hole
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: minicom
Version: 5.1
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Mike Maher
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1998-11-17 03:29 UTC by che
Modified: 2021-08-27 22:42 UTC (History)
0 users

Fixed In Version:
Clone Of:
: 770956 (view as bug list)
Environment:
Last Closed: 1999-01-26 18:42:55 UTC
Embargoed:


Attachments (Terms of Use)

Description che 1998-11-17 03:29:52 UTC
As the summary says, minicom is shipped set-GID uucp in Red
Hat up to 5.1 (I don't know about 5.2, I don't know anyone
who has that installed.)

This means that any user on a Red Hat box can dial-out via
the modem without any special permissions. If Joe Schmoe has
an account on my box and wishes to dial up Transylvania for
14 hours a day, he can do so completely without my knowing
it. Also, any user can interrupt a serial transfer because
of this security flaw.

This is wrong: Debian GNU/Linux ships minicom mode 0755, as
it should be, and requires that the users themselves be in
the dip (dialout) group if they wish to have access to the
serial ports.

Please issue errate for all previous versions of Red Hat
with a fixed minicom package that is properly mode 0755.

Ben Gertzfield, Debian GNU/Linux developer

Comment 1 Derek Tattersall 1998-11-19 14:52:59 UTC
/usr/bin/minicom is set GID uucp in 5.2 also.

Comment 2 Mike Maher 1999-01-26 18:42:59 UTC
Set group ID to root, mode 0755.  If used wish to use minicom
to dial out they can must add the user id to minicom.


Note You need to log in before you can comment on or make changes to this bug.