On Sun, 31 Aug 2025 21:49:12 +0200 Chris Hofstaedtler <[email protected]> wrote:
> On Fri, Aug 29, 2025 at 04:27:04PM -0500, Aaron Rainbolt wrote: > > Control: severity -1 serious > > The severity of a bug is under discretion of the package maintainer, > unless being overridden by a delegate. AFAICT you are neither, so > please stop changing the bug severity. Sorry about that, I will stop. I was trying to make sure what I thought was a policy violation would be solved or at least discussed, without causing drama. I wasn't trying to be annoying, thank you for letting me know this wasn't appropriate. > > On Fri, 29 Aug 2025 23:03:37 +0200 > > Chris Hofstaedtler <[email protected]> wrote: > > > > > Control: severity -1 wishlist > > > > > > On Fri, Aug 29, 2025 at 03:33:09PM -0500, Aaron Rainbolt wrote: > > > > `write` and `msg` are both parts of POSIX as explained earlier > > > > > > > > > > write and mesg were removed due to security reasons. This part of > > > POSIX is inherently insecure and unfixable. > > > > > > We're not gonna turn them back on. > > > > > The inherently insecure, unfixable security issues were remediated > > by disabling the SGID bit on the executables. > > They are not. Running 'mesg y' reopens the security hole ('write' > being only one of the tools that could be used). For trixie I tried > to have the defaults always be the equivalent of 'mesg n', or > better. > > I consider write, mesg to be legacy interfaces. On a typical > install, they are purely dead weight. > > I forgot if write even -works- on a default install, ISTR the answer > is 'no' (even after 'mesg y'). IIRC wall is also challenged on the > default install, but I opted to keep it for the sake of non-default > installs (sysvinit, etc). Originally I wrote quite a long reply to this, but then decided to try and test functionality first. Unless the user runs `mesg y` *and* /dev/ttyX is owned by group 'tty' *and* /usr/bin/write is SGID 'tty', it doesn't work. That's... not what I expected to be the case, it's not what the manpage insinuated, and looking at the existing behavior, all I can say is "that is ridiculous". Like seriously, why won't `write` just write if it has write access, why does it *have* to have a group match? Why does `mesg` make /dev/ttyX both group-writable and world-writable? Furthermore, even running `sudo write`, `write` doesn't write to all logged-in TTYs, it just chooses one and uses that specific one. That makes it entirely unusable for what I wanted to use it for. Sigh. I guess this is a good lesson for me to always test utilities thoroughly rather than just blindly believing the manpage tells me all I need to know. With how I understood `mesg` and `write` worked, I couldn't see how the removal made sense, but now I can't see how these tools ever were deemed fit for production use in the first place. Sorry for the trouble, and thank you for your patience with me. > I truly believe we are better off without these tools. I doubt > policy confines us to be a POSIX-compliant distro, and I would also > expect us to not be at any time. Bringing these tools back brings us > - from my PoV - nothing. > > I also think your comment comparing these tools with other tools > to be an incorrect comparison. write/mesg/wall had a very small > usecase; ls is used by a lot more people. If ls would be mostly > useless on a default/typical install, it could also go away. > > Chris >
pgpRWSahzjbDI.pgp
Description: OpenPGP digital signature
