Bug 23406

Summary: MAKEDEV all should not be used on live systems
Product: Base System Reporter: Robert Watson <rwatson>
Component: binAssignee: Doug Barton <dougb>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.2-STABLE   
Hardware: Any   
OS: Any   

Description Robert Watson freebsd_committer freebsd_triage 2000-12-09 19:30:00 UTC 
mergemaster, on noticing it merged a change to /dev/MAKEDEV, will suggest
to the user that they run MAKEDEV all to recreate devices.  However, this
is dangerous on multi-user machines, as it resets ownership and permissions
on user tty devices so that they are world-readable and writable.  This
can allow nastiness such as tty spoofing and sniffing, not to mention
confusion when the user runs mesg n and discovers they don't own the
tty.  As such, I'd recommend adding a warning to the mergemaster output
recommending that MAKEDEV all not be run on live multi-user systems,
and instead only be used in single-user mode or when no risk is involved
in resetting these permissions.

How-To-Repeat: 
mergemaster
Comment 1 Doug Barton freebsd_committer freebsd_triage 2000-12-11 17:03:44 UTC 
State Changed
From-To: open->closed


The project has always made the assumption that upgrades 
will happen in single user mode. While I personally like 
to do everything I can to support multi-user upgrades, 
the recommended time to run mergemaster is immediately 
before reboot, therefore the negative impact noted here 
is likely to be both small and short lived, even in 
multi-user mode with users on the box.
Comment 2 Doug Barton freebsd_committer freebsd_triage 2000-12-11 17:03:44 UTC 
Responsible Changed
From-To: freebsd-bugs->dougb


Mergemaster is my responsibility