Bug 149462 - comms/lrzsz: Not set suid flags on programs
Summary: comms/lrzsz: Not set suid flags on programs
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-ports-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-09 08:00 UTC by Dmitry
Modified: 2019-11-04 21:26 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry 2010-08-09 08:00:15 UTC
I install /comms/minicom with /comms/lrzsz.
When I try to send file on zmodem through minicom, I see this message:

lsz: this program was never intended to be used setuid

Fix: 

set suid bit on /usr/local/bin/lsz and /usr/local/bon/lrz
Comment 1 Edwin Groothuis freebsd_committer 2010-08-09 08:00:26 UTC
Responsible Changed
From-To: freebsd-ports-bugs->dinoex

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Dirk Meyer freebsd_committer 2010-08-13 11:23:26 UTC
State Changed
From-To: open->feedback



The port does not set suid. 

-r-xr-xr-x  3 root  wheel    75540 Jun  3 03:11 /usr/local/bin/lrb* 
-r-xr-xr-x  3 root  wheel    75540 Jun  3 03:11 /usr/local/bin/lrx* 
-r-xr-xr-x  3 root  wheel    75540 Jun  3 03:11 /usr/local/bin/lrz* 
-r-xr-xr-x  3 root  wheel    79732 Jun  3 03:11 /usr/local/bin/lsb* 
-r-xr-xr-x  3 root  wheel    79732 Jun  3 03:11 /usr/local/bin/lsx* 
-r-xr-xr-x  3 root  wheel    79732 Jun  3 03:11 /usr/local/bin/lsz* 

Please check your installation.
Comment 3 Dirk Meyer freebsd_committer 2010-08-14 06:05:24 UTC
State Changed
From-To: feedback->analyzed


This must be your minicom setup. 

The code in lsr/lsrz is: 

if (getuid()!=geteuid()) { 
error(1,0, 
_("this program was never intended to be used setuidn")); 
} 

Setting suid in lrz is really a bad idea. 
Any user would be able to overwrite /etc/master_passwd and otehr system files. 
I will not set lrz/lsz SUID.
Comment 4 Dirk Meyer freebsd_committer 2010-11-15 08:32:45 UTC
State Changed
From-To: analyzed->closed


Feedback timeout. 

Solution: 
Use groups to give access to the serial devies. 

for example: 
pw usermod minicomuser -g dialer
Comment 5 Andriy Gapon freebsd_committer 2018-06-29 20:55:47 UTC
The problem still exists and the solution proposed in comment #4 won't work [without additional changes].
However the solution proposed in the original report is not correct too.
The problem is not with an individual minicom configuration, but with the port itself. It installs the executable like this:
-r-s--x--x  1 uucp  dialer  190304 14 May 10:51 /usr/local/bin/minicom
That means that euid is that of uucp and hence the complaint.

I think that the real solution would be to install _minicom_ with the setuid bit. Then doing what Dirk suggested will help.
And I think that that's the way to do it.
Comment 6 Dirk Meyer freebsd_committer 2018-07-02 04:39:55 UTC
The default permissions group "dialer" works well to allow
any normal user to access a modem.

$ ls -l /dev/cuaU0*
crw-rw----  1 uucp    dialer  0x72  2 Juli 06:30 /dev/cuaU0
crw-rw----  1 uucp    dialer  0x73 22 Juni 23:01 /dev/cuaU0.init
crw-rw----  1 uucp    dialer  0x74 22 Juni 23:01 /dev/cuaU0.lock

$ ls -ld /var/spool/lock/
drwxrwxr-x  2 uucp  dialer  4  2 Juli 06:24 /var/spool/lock//


My proposed solution: 
install _minicom_ without the setuid bit.
Add the executing user to the group "dialer" 

for example: 
chmod 555 /usr/local/bin/minicom
pw usermod "useraccount" -g dialer
Comment 7 Andriy Gapon freebsd_committer 2018-07-02 06:51:05 UTC
(In reply to Dirk Meyer from comment #6)
Yes, I completely agree.
Comment 8 Rene Ladan freebsd_committer 2019-11-04 21:26:54 UTC
Maintainer reset.