Bug 149462 - comms/lrzsz: Not set suid flags on programs
Summary: comms/lrzsz: Not set suid flags on programs
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
Depends on:
Reported: 2010-08-09 08:00 UTC by Dmitry
Modified: 2020-02-04 15:34 UTC (History)
4 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry 2010-08-09 08:00:15 UTC
I install /comms/minicom with /comms/lrzsz.
When I try to send file on zmodem through minicom, I see this message:

lsz: this program was never intended to be used setuid


set suid bit on /usr/local/bin/lsz and /usr/local/bon/lrz
Comment 1 Edwin Groothuis freebsd_committer 2010-08-09 08:00:26 UTC
Responsible Changed
From-To: freebsd-ports-bugs->dinoex

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Dirk Meyer freebsd_committer 2010-08-13 11:23:26 UTC
State Changed
From-To: open->feedback

The port does not set suid. 

-r-xr-xr-x  3 root  wheel    75540 Jun  3 03:11 /usr/local/bin/lrb* 
-r-xr-xr-x  3 root  wheel    75540 Jun  3 03:11 /usr/local/bin/lrx* 
-r-xr-xr-x  3 root  wheel    75540 Jun  3 03:11 /usr/local/bin/lrz* 
-r-xr-xr-x  3 root  wheel    79732 Jun  3 03:11 /usr/local/bin/lsb* 
-r-xr-xr-x  3 root  wheel    79732 Jun  3 03:11 /usr/local/bin/lsx* 
-r-xr-xr-x  3 root  wheel    79732 Jun  3 03:11 /usr/local/bin/lsz* 

Please check your installation.
Comment 3 Dirk Meyer freebsd_committer 2010-08-14 06:05:24 UTC
State Changed
From-To: feedback->analyzed

This must be your minicom setup. 

The code in lsr/lsrz is: 

if (getuid()!=geteuid()) { 
_("this program was never intended to be used setuidn")); 

Setting suid in lrz is really a bad idea. 
Any user would be able to overwrite /etc/master_passwd and otehr system files. 
I will not set lrz/lsz SUID.
Comment 4 Dirk Meyer freebsd_committer 2010-11-15 08:32:45 UTC
State Changed
From-To: analyzed->closed

Feedback timeout. 

Use groups to give access to the serial devies. 

for example: 
pw usermod minicomuser -g dialer
Comment 5 Andriy Gapon freebsd_committer 2018-06-29 20:55:47 UTC
The problem still exists and the solution proposed in comment #4 won't work [without additional changes].
However the solution proposed in the original report is not correct too.
The problem is not with an individual minicom configuration, but with the port itself. It installs the executable like this:
-r-s--x--x  1 uucp  dialer  190304 14 May 10:51 /usr/local/bin/minicom
That means that euid is that of uucp and hence the complaint.

I think that the real solution would be to install _minicom_ with the setuid bit. Then doing what Dirk suggested will help.
And I think that that's the way to do it.
Comment 6 Dirk Meyer freebsd_committer 2018-07-02 04:39:55 UTC
The default permissions group "dialer" works well to allow
any normal user to access a modem.

$ ls -l /dev/cuaU0*
crw-rw----  1 uucp    dialer  0x72  2 Juli 06:30 /dev/cuaU0
crw-rw----  1 uucp    dialer  0x73 22 Juni 23:01 /dev/cuaU0.init
crw-rw----  1 uucp    dialer  0x74 22 Juni 23:01 /dev/cuaU0.lock

$ ls -ld /var/spool/lock/
drwxrwxr-x  2 uucp  dialer  4  2 Juli 06:24 /var/spool/lock//

My proposed solution: 
install _minicom_ without the setuid bit.
Add the executing user to the group "dialer" 

for example: 
chmod 555 /usr/local/bin/minicom
pw usermod "useraccount" -g dialer
Comment 7 Andriy Gapon freebsd_committer 2018-07-02 06:51:05 UTC
(In reply to Dirk Meyer from comment #6)
Yes, I completely agree.
Comment 8 Rene Ladan freebsd_committer 2019-11-04 21:26:54 UTC
Maintainer reset.
Comment 9 commit-hook freebsd_committer 2020-02-04 11:11:17 UTC
A commit references this bug:

Author: dinoex
Date: Tue Feb  4 11:10:22 UTC 2020
New revision: 525148
URL: https://svnweb.freebsd.org/changeset/ports/525148

  - remove SUID bit, users must be added to group dialer
  PR:		149462

  - update MASTER_SITES
  - make portlint happier

Comment 10 Dirk Meyer freebsd_committer 2020-02-04 11:12:59 UTC
minicom port was updated
Comment 11 Samy Mahmoudi 2020-02-04 15:25:02 UTC
(In reply to commit-hook from comment #9)
Hi Dirk,

A similar patch was pending since 2018, so happy to see you handled this. Could you also close-FIXED Bug 230753?

It seems you forgot to bump PORTREVISION. Moreover, minicom's binary has now owner set to root:wheel, so there may be an omission based on your instruction "users must be added to group dialer".
Comment 12 Samy Mahmoudi 2020-02-04 15:34:49 UTC
(In reply to Samy Mahmoudi from comment #11)
Please ignore the part related to ownership: the device files have proper owner so it does not seem necessary to change minicom's binary ownership.