* mwgamera <mwgam...@gmail.com> [241023 01:32]: > On Tue, 22 Oct 2024 at 23:36, Chris Hofstaedtler <z...@debian.org> wrote: > > https://lists.debian.org/debian-security-announce/2024/msg00058.html > > is the context for the change. > > I understand that was what the fix adding missing input sanitization > was about. But there was a second change in addition to that: the old > behaviour of not using group permissions to moderate access to > terminal was restored rendering the fix completely irrelevant.
The "fix" was incomplete and IIRC later confirmed to be impossible to ever be correct for 100% of cases. > In that configuration, mesg y just gives everyone write access to > the terminal so a potential attacker doesn't need that bug in wall > anymore to write arbitrary sequences to it. This part is not new. > The bug I'm reporting here isn't related to security. > Iff write is neither suid nor sgid, the egid check has no > implications for security. It just renders write unusable for > absolutely no reason. Any user could just compile their own > version of write without that check; or rewrite it as a shell script. True, the egid check is useless and probably wrong now. So yeah. When people have 'mesg y', they accept that their terminal can be broken/run arbitrary commands. For 'mesg n' (default), it is now reasonably secure. root can continue running write/wall to pass messages to 'mesg n' users, and everything else is effectively deprecated. Chris
