Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Vieri <rentorbuy@×××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] novice question regarding SU and TTY
Date: Tue, 08 May 2007 15:33:26
Message-Id: 45436.19377.qm@web32615.mail.mud.yahoo.com
In Reply to: Re: [gentoo-hardened] novice question regarding SU and TTY by gentoo-hardened-ml-01@bumpin.org
1 Regarding SU:
2 my mistake, sorry. It actually does work but I was
3 doing it stupidly on a user account whose shell was
4 /bin/false.
5
6 Regarding /dev/ttySx:
7 1) is putting nut in the uucp group safe?
8 2) is changing the GROUP for ttyS in udev safe?
9
10 non-hardened udev rules:
11
12 # tty devices
13 KERNEL=="ttyS[0-9]*", NAME="tts/%n", SYMLINK+="%k",
14 GROUP="tty"
15 KERNEL=="ttyUSB[0-9]*", NAME="tts/USB%n", GROUP="tty",
16 MODE="0660"
17
18 hardened udev rules:
19
20 # tty devices
21 KERNEL=="ttyS[0-9]*", NAME="%k", SYMLINK="tts/%n",
22 GROUP="uucp", MODE="0660"
23 KERNEL=="ttyUSB[0-9]*", NAME="%k",
24 SYMLINK="tts/USB%n", GROUP="uucp", MODE="0660
25
26 Of the two methods I suppose modifying the udev rules
27 is the safest because I could just redefine ttyS0
28 only.
29
30 Thank you.
31
32 --- gentoo-hardened-ml-01@××××××.org wrote:
33
34 > Changing the perms on /dev/ttyS0 manually will not
35 > persist between reboots.
36 > You should change the udev rules in
37 > /etc/udev/rules.d/ or add "nut" to the
38 > uucp group in /etc/group.
39 >
40 > As for why your su doesn't work, I am not sure.
41 > Works for me, my root user is
42 > in the wheel group and the user I su to exists.
43 >
44 > On Tuesday, May 8, 2007 07:55, Vieri wrote:
45 > > --- Vieri <rentorbuy@×××××.com> wrote:
46 > > > Hi,
47 > > >
48 > > > I've recently installed a gentoo box with the
49 > > > hardend
50 > > > profile + hardened-sources so I'm new to all
51 > this.
52 > > >
53 > > > I have two basic questions that I can't seem to
54 > > > answer.
55 > > >
56 > > > 1) SU:
57 > > > on the non-hardened gentoo box I'm used to, I
58 > can
59 > > > enter as root and then do a "su username" and a
60 > > > whoami
61 > > > shows that username. However, in the hardened
62 > box,
63 > > > issuing "su username" doesn't do anything and
64 > whoami
65 > > > is still root. I can't see any log messages
66 > related
67 > > > to
68 > > > this. Is this behavior normal?
69 > > >
70 > > > 2) TTY:
71 > > > on my non-hardened gentoo I emerged
72 > sys-power/nut
73 > > > which is a UPS monitoring tool and needs to
74 > access
75 > > > /dev/ttySx. The nut driver is supposed to run
76 > under
77 > > > the nut user/group which is also part of the tty
78 > > > group. In other words, the application has
79 > correct
80 > > > access to the device. However, in my hardened
81 > box
82 > > > after emerging without errors and verifying that
83 > the
84 > > > nut user was added to the tty group, the nut app
85 > > > fails
86 > > > when trying to access /dev/ttyS0 and reports
87 > > > "permission denied".
88 > > >
89 > > > I'm sure all this is due to my lack of
90 > experience
91 > > > but
92 > > > could someone please give me the big picture.
93 > >
94 > > May I add:
95 > >
96 > > non-hardened # ls -la /dev/ttyS0
97 > > lrwxrwxrwx 1 root root 5 Apr 27 12:39 /dev/ttyS0
98 > ->
99 > > tts/0
100 > >
101 > > hardened # ls -la /dev/ttyS0
102 > > crw-rw---- 1 root uucp 4, 64 May 8 00:19
103 > /dev/ttyS0
104 > >
105 > > Do I just need to manually change permissions for
106 > this
107 > > device?
108 > >
109 > > > Thank you.
110 > > >
111 > > > Vieri
112
113
114
115
116 ____________________________________________________________________________________
117 Now that's room service! Choose from over 150,000 hotels
118 in 45,000 destinations on Yahoo! Travel to find your fit.
119 http://farechase.yahoo.com/promo-generic-14795097
120 --
121 gentoo-hardened@g.o mailing list
Report Message
Find on MARC Find on Google Groups