[plug] new linux user

Matt Kemner zombie at networx.net.au
Wed Sep 29 16:11:58 WST 1999


On Wed, 29 Sep 1999, Tony Clark wrote:

> We where talking about minicom here.

You're not following what I'm saying.
You said it's ok to make minicom suid because you can trust everyone on
your system.  I suggested that since there is an alternative way to
achieve your goal without making minicom suid, you should use that because
suid is almost always a bad idea.

>  Unless it is being used to start a
> ppp session because chat can take a little getting use to and it doesn't
> have some fancy script to allow remote access, it should not be a security
> hazard.

You mean apart from the fact people that have access to minicom can rack
up a large international phone bill at your expense, should they so wish?
But that's not what I'm talking about.
I'm talking about the fact that in August last year somebody pointed out
how to break minicom to become root (on slackware) (and they weren't the
first)

Debian released an announcement saying their minicom is not vulnerable
because it is not installed setuid root.  However if you make it so
yourself, you are on your own.

> chmod 000 soon fixes up those security holes.

But you created them in the first place with chmod 4755

 - Matt
P.S. I think this debate is getting a little out of hand :)
My initial message was only intended to warn people that might follow your
advice, that they may be putting themselves at risk by doing so, and that
they had an alternative that was less risky, and that was in fact the way
Debian and RedHat etc. intend you to do it - add yourself to the dialout
group.



More information about the plug mailing list