libpisock8: System serial device permissions overridden
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pilot-link (Debian) |
Fix Released
|
Unknown
|
|||
pilot-link (Ubuntu) |
Invalid
|
Medium
|
Unassigned |
Bug Description
Automatically imported from Debian bug report #258847 http://
In Debian Bug tracker #258847, Ludovic Rousseau (ludovic-rousseau-gmail) wrote : Re: Bug#258847: libpisock8: System serial device permissions overridden | #1 |
In Debian Bug tracker #258847, David Pettersson (david-avendi) wrote : | #2 |
On Sun, Jul 11, 2004 at 10:43:16PM +0200, Ludovic Rousseau wrote:
> The default choise is safe (do not change anything). If you have
> something else it is because the admin (you?) _chosed it_.
>
> Maybe the debconf question is not clear enough:
> " To ease the use of the Palm connected to the port its access rights
> will be lowered to allow access to any user. If it is a security
> problem for you, select "None" and manage the link and its access
> rights yourself. "
>
> run 'sudo dpkg-reconfigure jpilot' to see the question again.
Yes, I must have changed this myself. However, I did try running
dpkg-reconfigure on the libpisock8 package before sending the report,
but was mislead by the naming of the file. Perhaps a comment in the
libpisock8-file would be appropriate?
Thanks for pointing out my error, and for you rapid response. I think
we can close/reject this report.
Sincerely,
--
David Pettersson
In Debian Bug tracker #258847, Matt Zimmerman (mdz) wrote : | #3 |
severity 258847 grave
thanks
On Sun, Jul 11, 2004 at 10:10:02PM +0200, David Pettersson wrote:
> Package: libpisock8
> Version: 0.11.8-10
> Severity: normal
> Tags: security
>
> Hi,
>
> The libpisock8 package places a libpisock8 file in the /etc/devfs/conf.d
> directory, which explicitly overrides the system permissions for the
> first serial port, setting /dev/ttyS0 to world read/writable.
>
> This is a nice convenience feature for the average user, but it also
> allows all users (even those not in the dialout group) to access the
> serial port.
>
> I am unsure how to solve this. However, please let me know if I can
> assist in any way.
This is a serious issue; I am adjusting the severity of this bug accordingly.
--
- mdz
Debian Bug Importer (debzilla) wrote : | #4 |
Automatically imported from Debian bug report #258847 http://
Debian Bug Importer (debzilla) wrote : | #5 |
Message-Id: <email address hidden>
Date: Sun, 11 Jul 2004 22:10:02 +0200
From: David Pettersson <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: libpisock8: System serial device permissions overridden
Package: libpisock8
Version: 0.11.8-10
Severity: normal
Tags: security
Hi,
The libpisock8 package places a libpisock8 file in the /etc/devfs/conf.d
directory, which explicitly overrides the system permissions for the
first serial port, setting /dev/ttyS0 to world read/writable.
This is a nice convenience feature for the average user, but it also
allows all users (even those not in the dialout group) to access the
serial port.
I am unsure how to solve this. However, please let me know if I can
assist in any way.
Sincerely,
--
David Pettersson
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=sv_SE, LC_CTYPE=sv_SE
Versions of packages libpisock8 depends on:
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an
ii libncurses5 5.4-4 Shared libraries for terminal hand
ii libreadline4 4.3-11 GNU readline and history libraries
-- no debconf information
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Sun, 11 Jul 2004 22:43:16 +0200
From: Ludovic Rousseau <email address hidden>
To: David Pettersson <email address hidden>, <email address hidden>
Subject: Re: Bug#258847: libpisock8: System serial device permissions overridden
Hello,
Le Sunday 11 July 2004 �2:10:02, David Pettersson a �it:
> The libpisock8 package places a libpisock8 file in the /etc/devfs/conf.d
> directory, which explicitly overrides the system permissions for the
> first serial port, setting /dev/ttyS0 to world read/writable.
In fact it is not the libpisock8 package but jpilot, pilot-link and some
others. The file is called this way to indicate it is used by libpisock8
but it is not created by this package. See also Debian bug #205059 [1].
> This is a nice convenience feature for the average user, but it also
> allows all users (even those not in the dialout group) to access the
> serial port.
I know. See Debian bug #205125 [2].
> I am unsure how to solve this. However, please let me know if I can
> assist in any way.
The default choise is safe (do not change anything). If you have
something else it is because the admin (you?) _chosed it_.
Maybe the debconf question is not clear enough:
" To ease the use of the Palm connected to the port its access rights
will be lowered to allow access to any user. If it is a security
problem for you, select "None" and manage the link and its access
rights yourself. "
run 'sudo dpkg-reconfigure jpilot' to see the question again.
Rergards,
[1] http://
[2] http://
--
Dr. Ludovic Rousseau <email address hidden>
-- Normaliser Unix c'est comme pasteuriser le camembert, L.R. --
Debian Bug Importer (debzilla) wrote : | #7 |
Message-ID: <email address hidden>
Date: Sun, 11 Jul 2004 22:55:23 +0200
From: David Pettersson <email address hidden>
To: <email address hidden>
Subject: Re: Bug#258847: libpisock8: System serial device permissions overridden
On Sun, Jul 11, 2004 at 10:43:16PM +0200, Ludovic Rousseau wrote:
> The default choise is safe (do not change anything). If you have
> something else it is because the admin (you?) _chosed it_.
>
> Maybe the debconf question is not clear enough:
> " To ease the use of the Palm connected to the port its access rights
> will be lowered to allow access to any user. If it is a security
> problem for you, select "None" and manage the link and its access
> rights yourself. "
>
> run 'sudo dpkg-reconfigure jpilot' to see the question again.
Yes, I must have changed this myself. However, I did try running
dpkg-reconfigure on the libpisock8 package before sending the report,
but was mislead by the naming of the file. Perhaps a comment in the
libpisock8-file would be appropriate?
Thanks for pointing out my error, and for you rapid response. I think
we can close/reject this report.
Sincerely,
--
David Pettersson
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Sun, 11 Jul 2004 14:43:23 -0700
From: Matt Zimmerman <email address hidden>
To: David Pettersson <email address hidden>, <email address hidden>
Subject: Re: Bug#258847: libpisock8: System serial device permissions overridden
severity 258847 grave
thanks
On Sun, Jul 11, 2004 at 10:10:02PM +0200, David Pettersson wrote:
> Package: libpisock8
> Version: 0.11.8-10
> Severity: normal
> Tags: security
>
> Hi,
>
> The libpisock8 package places a libpisock8 file in the /etc/devfs/conf.d
> directory, which explicitly overrides the system permissions for the
> first serial port, setting /dev/ttyS0 to world read/writable.
>
> This is a nice convenience feature for the average user, but it also
> allows all users (even those not in the dialout group) to access the
> serial port.
>
> I am unsure how to solve this. However, please let me know if I can
> assist in any way.
This is a serious issue; I am adjusting the severity of this bug accordingly.
--
- mdz
In Debian Bug tracker #258847, Ludovic Rousseau (ludovic-rousseau-gmail) wrote : | #9 |
Le Sunday 11 July 2004 à 14:43:23, Matt Zimmerman a écrit:
> This is a serious issue; I am adjusting the severity of this bug accordingly.
Matt,
Can you read the other messages regarding this bug and tell me if you
still consider it a serious issue?
I can add a comment in /etc/devfs/
file is here and how to change it. Do you think it will be enough?
Bye,
--
Dr. Ludovic Rousseau <email address hidden>
-- Normaliser Unix c'est comme pasteuriser le camembert, L.R. --
In Debian Bug tracker #258847, Matt Zimmerman (mdz) wrote : | #10 |
severity 258847 normal
thanks
On Mon, Jul 12, 2004 at 10:14:09AM +0200, Ludovic Rousseau wrote:
> Le Sunday 11 July 2004 à 14:43:23, Matt Zimmerman a écrit:
> > This is a serious issue; I am adjusting the severity of this bug accordingly.
>
> Matt,
>
> Can you read the other messages regarding this bug and tell me if you
> still consider it a serious issue?
No, I do not. If this is not done by default, and only when the user
explicitly requests it, this is not as serious as it appeared.
However, I do question the need for this mechanism...isn't it simpler to
require that users be added to the dialout group? That is its purpose.
> I can add a comment in /etc/devfs/
> file is here and how to change it. Do you think it will be enough?
That would be helpful.
--
- mdz
Matt Zimmerman (mdz) wrote : | #11 |
Not RC; the submitter confused me by stating that the change happened by default
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Mon, 12 Jul 2004 10:14:09 +0200
From: Ludovic Rousseau <email address hidden>
To: Matt Zimmerman <email address hidden>, <email address hidden>
Cc: David Pettersson <email address hidden>
Subject: Re: Bug#258847: libpisock8: System serial device permissions overridden
Le Sunday 11 July 2004 �4:43:23, Matt Zimmerman a �it:
> This is a serious issue; I am adjusting the severity of this bug accordingly.
Matt,
Can you read the other messages regarding this bug and tell me if you
still consider it a serious issue?
I can add a comment in /etc/devfs/
file is here and how to change it. Do you think it will be enough?
Bye,
--
Dr. Ludovic Rousseau <email address hidden>
-- Normaliser Unix c'est comme pasteuriser le camembert, L.R. --
Debian Bug Importer (debzilla) wrote : | #13 |
Message-ID: <email address hidden>
Date: Mon, 12 Jul 2004 01:18:32 -0700
From: Matt Zimmerman <email address hidden>
To: Ludovic Rousseau <email address hidden>
Cc: <email address hidden>, David Pettersson <email address hidden>
Subject: Re: Bug#258847: libpisock8: System serial device permissions overridden
severity 258847 normal
thanks
On Mon, Jul 12, 2004 at 10:14:09AM +0200, Ludovic Rousseau wrote:
> Le Sunday 11 July 2004 �4:43:23, Matt Zimmerman a �it:
> > This is a serious issue; I am adjusting the severity of this bug accordingly.
>
> Matt,
>
> Can you read the other messages regarding this bug and tell me if you
> still consider it a serious issue?
No, I do not. If this is not done by default, and only when the user
explicitly requests it, this is not as serious as it appeared.
However, I do question the need for this mechanism...isn't it simpler to
require that users be added to the dialout group? That is its purpose.
> I can add a comment in /etc/devfs/
> file is here and how to change it. Do you think it will be enough?
That would be helpful.
--
- mdz
In Debian Bug tracker #258847, Ludovic Rousseau (ludovic-rousseau-gmail) wrote : | #14 |
Le Monday 12 July 2004 à 01:18:32, Matt Zimmerman a écrit:
> However, I do question the need for this mechanism...isn't it simpler to
> require that users be added to the dialout group? That is its purpose.
I discussed about this possibility in bug #205125.
If the user belongs to the group dialout he will also have access to the
other serial ports. Maybe that's too permissive and considered as a
(grave) security problem.
Another solution is to create a "pda" group and change the group of the
serial device. But you will have a problem if you connect something else
on the serial port (like a modem).
Do we (Debian) have a policy on how to manage access rights on the
serial ports, and not just for modem access?
Bye,
--
Dr. Ludovic Rousseau <email address hidden>
-- Normaliser Unix c'est comme pasteuriser le camembert, L.R. --
In Debian Bug tracker #258847, Matt Zimmerman (mdz) wrote : | #15 |
On Tue, Jul 13, 2004 at 06:11:57PM +0200, Ludovic Rousseau wrote:
> Le Monday 12 July 2004 à 01:18:32, Matt Zimmerman a écrit:
> > However, I do question the need for this mechanism...isn't it simpler to
> > require that users be added to the dialout group? That is its purpose.
>
> I discussed about this possibility in bug #205125.
>
> If the user belongs to the group dialout he will also have access to the
> other serial ports. Maybe that's too permissive and considered as a
> (grave) security problem.
>
> Another solution is to create a "pda" group and change the group of the
> serial device. But you will have a problem if you connect something else
> on the serial port (like a modem).
>
> Do we (Debian) have a policy on how to manage access rights on the
> serial ports, and not just for modem access?
Yes, refer to the base-passwd documentation.
dialout
Full and direct access to serial ports. Members of this group can
reconfigure the modem, dial anywhere, etc.
--
- mdz
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Tue, 13 Jul 2004 18:11:57 +0200
From: Ludovic Rousseau <email address hidden>
To: Matt Zimmerman <email address hidden>, <email address hidden>
Cc: David Pettersson <email address hidden>
Subject: Re: Bug#258847: libpisock8: System serial device permissions overridden
Le Monday 12 July 2004 �1:18:32, Matt Zimmerman a �it:
> However, I do question the need for this mechanism...isn't it simpler to
> require that users be added to the dialout group? That is its purpose.
I discussed about this possibility in bug #205125.
If the user belongs to the group dialout he will also have access to the
other serial ports. Maybe that's too permissive and considered as a
(grave) security problem.
Another solution is to create a "pda" group and change the group of the
serial device. But you will have a problem if you connect something else
on the serial port (like a modem).
Do we (Debian) have a policy on how to manage access rights on the
serial ports, and not just for modem access?
Bye,
--
Dr. Ludovic Rousseau <email address hidden>
-- Normaliser Unix c'est comme pasteuriser le camembert, L.R. --
Debian Bug Importer (debzilla) wrote : | #17 |
Message-ID: <email address hidden>
Date: Tue, 13 Jul 2004 09:25:02 -0700
From: Matt Zimmerman <email address hidden>
To: Ludovic Rousseau <email address hidden>
Cc: <email address hidden>, David Pettersson <email address hidden>
Subject: Re: Bug#258847: libpisock8: System serial device permissions overridden
On Tue, Jul 13, 2004 at 06:11:57PM +0200, Ludovic Rousseau wrote:
> Le Monday 12 July 2004 �1:18:32, Matt Zimmerman a �it:
> > However, I do question the need for this mechanism...isn't it simpler to
> > require that users be added to the dialout group? That is its purpose.
>
> I discussed about this possibility in bug #205125.
>
> If the user belongs to the group dialout he will also have access to the
> other serial ports. Maybe that's too permissive and considered as a
> (grave) security problem.
>
> Another solution is to create a "pda" group and change the group of the
> serial device. But you will have a problem if you connect something else
> on the serial port (like a modem).
>
> Do we (Debian) have a policy on how to manage access rights on the
> serial ports, and not just for modem access?
Yes, refer to the base-passwd documentation.
dialout
Full and direct access to serial ports. Members of this group can
reconfigure the modem, dial anywhere, etc.
--
- mdz
In Debian Bug tracker #258847, Ludovic Rousseau (ludovic-rousseau-gmail) wrote : Fixed in upload of pilot-link 0.11.8-0.12.0-pre4-1 to experimental | #18 |
tag 151839 + fixed-in-
tag 225270 + fixed-in-
tag 225271 + fixed-in-
tag 225920 + fixed-in-
tag 228813 + fixed-in-
tag 252210 + fixed-in-
tag 257299 + fixed-in-
tag 258847 + fixed-in-
tag 264617 + fixed-in-
tag 269133 + fixed-in-
tag 270975 + fixed-in-
tag 283593 + fixed-in-
tag 289231 + fixed-in-
tag 289234 + fixed-in-
tag 289353 + fixed-in-
tag 290109 + fixed-in-
tag 293474 + fixed-in-
tag 296666 + fixed-in-
tag 305697 + fixed-in-
tag 306505 + fixed-in-
tag 307847 + fixed-in-
tag 313348 + fixed-in-
quit
This message was generated automatically in response to an
upload to the experimental distribution. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 22 Jun 2005 21:23:51 +0200
Source: pilot-link
Binary: libpisock9 libpda-pilot-perl pilot-link libpisync0 python-pisock libpisock-dev
Architecture: source i386
Version: 0.11.8-
Distribution: experimental
Urgency: low
Maintainer: Ludovic Rousseau <email address hidden>
Changed-By: Ludovic Rousseau <email address hidden>
Description:
libpda-pilot-perl - Perl module to communicate with a PalmOS PDA
libpisock-dev - development files for communicating with a PalmOS PDA
libpisock9 - library for communicating with a PalmOS PDA
libpisync0 - synchronization library for PalmOS devices
pilot-link - tools to communicate with a PalmOS PDA
python-pisock - Python module to communicate with PalmOS PDA
Closes: 151839 225270 225271 225920 228813 252210 257299 258847 264617 269133 270975 283593 289231 289234 289353 290109 293474 296666 305697 306505 307847 313348
Changes:
pilot-link (0.11.8-
.
* New upstream release
- now support databases > 64KB. closes: #225920 "Crashes backing up Clie
NX-70V"
- "pilot-addresses: mixed up fields" closes: #151839
- "pilot-addresses -r option broken" closes: #252210
- pilot-prc removed, closes: #257299 "pilot-prc is totally broken"
- pilot-datebook removed, closes: #269133 "export to remind is broken with
records spanning multiple lines"
- "libpisock-dev: unnecessary -lreadline link dependency" closes: #270975
- "install-datebook gives, fopen: Bad address" closes: #290109
- "pilot-xfer crashes when using -s option" closes: #305697
- "0.11.8 series has been deprecated" closes: #307847
- "memos -s . -f MemoDB.pdb fails to create directories as needed"
closes: #313348
- "minor cut-and-paste typo in pilot-xfer manpage" closes: #283593
- pilot-link.7 removed, closes: #289234 "pilot-link.7.gz: nroff accident"
- "pilot-schlep.1.gz: -f file > file" closes: #289353
- "pilot-xfer.1.gz: documentation locked inside program" closes: #293474
* do not provide a devfs config file anymore. closes: #228813
"/
closes: #258847 "System serial device permissions overridden"
...
Debian Bug Importer (debzilla) wrote : | #19 |
Message-Id: <email address hidden>
Date: Wed, 22 Jun 2005 16:47:12 -0400
From: Ludovic Rousseau <email address hidden>
To: <email address hidden>
Cc: Ludovic Rousseau <email address hidden>
Subject: Fixed in upload of pilot-link 0.11.8-
tag 151839 + fixed-in-
tag 225270 + fixed-in-
tag 225271 + fixed-in-
tag 225920 + fixed-in-
tag 228813 + fixed-in-
tag 252210 + fixed-in-
tag 257299 + fixed-in-
tag 258847 + fixed-in-
tag 264617 + fixed-in-
tag 269133 + fixed-in-
tag 270975 + fixed-in-
tag 283593 + fixed-in-
tag 289231 + fixed-in-
tag 289234 + fixed-in-
tag 289353 + fixed-in-
tag 290109 + fixed-in-
tag 293474 + fixed-in-
tag 296666 + fixed-in-
tag 305697 + fixed-in-
tag 306505 + fixed-in-
tag 307847 + fixed-in-
tag 313348 + fixed-in-
quit
This message was generated automatically in response to an
upload to the experimental distribution. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 22 Jun 2005 21:23:51 +0200
Source: pilot-link
Binary: libpisock9 libpda-pilot-perl pilot-link libpisync0 python-pisock libpisock-dev
Architecture: source i386
Version: 0.11.8-
Distribution: experimental
Urgency: low
Maintainer: Ludovic Rousseau <email address hidden>
Changed-By: Ludovic Rousseau <email address hidden>
Description:
libpda-pilot-perl - Perl module to communicate with a PalmOS PDA
libpisock-dev - development files for communicating with a PalmOS PDA
libpisock9 - library for communicating with a PalmOS PDA
libpisync0 - synchronization library for PalmOS devices
pilot-link - tools to communicate with a PalmOS PDA
python-pisock - Python module to communicate with PalmOS PDA
Closes: 151839 225270 225271 225920 228813 252210 257299 258847 264617 269133 270975 283593 289231 289234 289353 290109 293474 296666 305697 306505 307847 313348
Changes:
pilot-link (0.11.8-
.
* New upstream release
- now support databases > 64KB. closes: #225920 "Crashes backing up Clie
NX-70V"
- "pilot-addresses: mixed up fields" closes: #151839
- "pilot-addresses -r option broken" closes: #252210
- pilot-prc removed, closes: #257299 "pilot-prc is totally broken"
- pilot-datebook removed, closes: #269133 "export to remind is broken with
records spanning multiple lines"
- "libpisock-dev: unnecessary -lreadline link dependency" closes: #270975
- "install-datebook gives, fopen: Bad address" closes: #290109
- "pilot-xfer crashes when using -s option" closes: #305697
- "0.11.8 series has been deprecated" closes: #307847
- "memos -s . -f MemoDB.pdb fails to create directories as needed"
closes: #313348
- "minor cut-and-paste typo in pilot-xfer manpage" closes: #283593
- pilot-link.7 removed, closes: #289234 "pilot-link.7.gz: nroff accident"
- "pilot-schlep.1.gz: -f file > file" closes: #289353
- "pi...
In Debian Bug tracker #258847, Ludovic Rousseau (ludovic-rousseau-gmail) wrote : bug closed in experimental and now also closed in unstable | #20 |
Hello,
The bug you reported has been closed by a version of pilot-link uploaded
in experimental. Version 0.12.1 is now stable upstream and has been
uploaded in Debian unstable so the bug is really closed now.
Thanks,
--
Dr. Ludovic Rousseau <email address hidden>
-- Normaliser Unix c'est comme pasteuriser le camembert, L.R. --
Changed in pilot-link: | |
status: | Fix Committed → Fix Released |
Hello,
Le Sunday 11 July 2004 à 22:10:02, David Pettersson a écrit:
> The libpisock8 package places a libpisock8 file in the /etc/devfs/conf.d
> directory, which explicitly overrides the system permissions for the
> first serial port, setting /dev/ttyS0 to world read/writable.
In fact it is not the libpisock8 package but jpilot, pilot-link and some
others. The file is called this way to indicate it is used by libpisock8
but it is not created by this package. See also Debian bug #205059 [1].
> This is a nice convenience feature for the average user, but it also
> allows all users (even those not in the dialout group) to access the
> serial port.
I know. See Debian bug #205125 [2].
> I am unsure how to solve this. However, please let me know if I can
> assist in any way.
The default choise is safe (do not change anything). If you have
something else it is because the admin (you?) _chosed it_.
Maybe the debconf question is not clear enough:
" To ease the use of the Palm connected to the port its access rights
will be lowered to allow access to any user. If it is a security
problem for you, select "None" and manage the link and its access
rights yourself. "
run 'sudo dpkg-reconfigure jpilot' to see the question again.
Rergards,
[1] http:// bugs.debian. org/205059 bugs.debian. org/205125
[2] http://
--
Dr. Ludovic Rousseau <email address hidden>
-- Normaliser Unix c'est comme pasteuriser le camembert, L.R. --