Interactive shells in emacs: a security problem?
Jim Mattson
mattson at beowulf.ucsd.edu
Wed Aug 23 10:40:19 AEST 1989
When I run an interactive shell in GNU emacs or Jove, the editor provides me
with a pty that looks like this:
crw-rw-rw- 1 root 10, 4 Aug 22 17:31 /dev/ttyp4
Of course, the editor cannot run setuid root, so it cannot change the owner
or mode of the pty. Unfortunately, it is possible for someone else to
run a program that:
a) detaches from its controlling terminal
b) opens _my_ pty RDWR (establishing it as the controlling terminal)
c) uses TIOCSTI to stuff characters into my psuedo-terminal input
As a result, my interactive shell is at everyone's mercy. I might as well
post the password to my account.
It seems that this is an inherent problem in the way 4BSD programs use ptys.
If the program does not run setuid root, it cannot guarantee the security
of the pty connection. Maybe there should be an ioctl that allows a
regular user to make himself/herself the owner of an open pty connection.
That seems really awful, though. Are there other solutions?
--jim
More information about the Comp.bugs.4bsd.ucb-fixes
mailing list