John Summerfield wrote:
The problem (in that particular case) is that your user does not seem to be part of the 'tty' group ! Other people may experience other problemsIt's not. Is yours? If the tool you use to create user accounts doesn't make it so (or at least suggest it should be so), and you don't know to do it, it's not done. However, setting ownership at login makes it so you can open files to it and read/write. OTOH, if I'm in the tty group, then I can write to any tty that is group writable. Do you smell a security problem here?
Sorry.. I shouldn't have said 'problem'. I meant 'reason'.. I was just giving what I feel is the correct technical 'reason' why attempting to write to the file node returned by the "tty" command is giving a "permission denied" error. You were indicating that behavior was caused by the file node still having an opened file descriptor opened by root. I believe this is not the reason. Rather, the reason is that the user which you "su" to does not have permission to open in write mode the file node which is returned by the 'tty' command because the node ownership and permission is preventing you from doing so. That was my original point in discussing the differences between "su -" (which doesn't change tty ownership) and "login" (which does). You are of course correct that adding non privileged arbitrary users to the tty group could be a security issue.
My observation is that screen creates pseudo ttys for all its sessions, sets TERM=screen and maps what comes back from the session to the tty _it_ writes to, the one active before it was started.
And my observation is that "screen" is attempting at some point to re-open the process controlling terminal file node in order to ensure any redirection does not affect front-end 'screen' operations (as opposed to back-end which is indeed performed through the creation of ptys which DO have the appropriate ownership and permissions) - and that this fails when you su from root to a non-root user for the reason described above. This may be dependent on the version of the "screen" package.. But this is what I get : deb64-1:~# su - ivan i...@deb64-1:~$ screen Cannot open your terminal '/dev/pts/2' - please check. i...@deb64-1:~$ ls -l $(tty) crw------- 1 root tty 136, 2 2009-03-05 12:46 /dev/pts/2 i...@deb64-1:~$ dpkg -l screen <snip/> ii screen 4.0.3-11 terminal multiplexor with VT100/ANSI terminal emulation i...@deb64-1:~$ Note that the above is not restricted to Linux on z.. and not even restricted to linux altogether. Other Posix systems (Un*x, AIX, etc..) display the same difference between "su -" and "login". --Ivan ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
smime.p7s
Description: S/MIME Cryptographic Signature