I doubt that having the installation of a package weaken a system's
security is a good idea.

Perhaps serial ports are special because a serial port can be used for a
PPP (or similar) network connection. So if all users have access to all
serial ports by default then a compromised process can potentially
spread via PPP (or similar). A serial port might also have particular
interesting hardware attached to it (e.g. a PLC) that should not by
default be exposed to compromised processes. Can you say Stuxnet? This
does not seem goodness to me.

An alternative to having the PuTTY installer change security would be
for PuTTY itself to detect that the desired serial port device is not
accessible and ask whether the user wants to do something about it i.e.
only when the user actually configures PuTTY to use a serial port. That
means that

* if the PuTTY user never goes near the serial port (most users?) then
no security change is ever made.

* no change is made without explicit user consent.

* if the user who is doing the install is not the user who is using
PuTTY then the security change is made for the correct user (where
relevant).

This does assume though that the user who is using PuTTY has permission
to use sudo (or similar).

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1012630

Title:
  Can't access serial port without root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/putty/+bug/1012630/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to