.plan
Bob McGowen Wyse Technology Training
bob at wyse.wyse.com
Thu Sep 7 08:04:31 AEST 1989
In article <1077 at virtech.UUCP> cpcahil at virtech.UUCP (Conor P. Cahill) writes:
>In article <1815 at cunixc.cc.columbia.edu>, fuat at cunixc.cc.columbia.edu (Fuat C. Baran) writes:
>> In article <28110 at news.Think.COM> barmar at think.com (Barry Margolin) writes:
>>
>> I still think that the ability to send back arbitrary strings is too
>> dangerous to be enabled by default in terminals. User's should be
---deleted---
>ANY USER THAT RUNS A PROGRAM IN ANY DIRECTORY WHEN THE USER DOES NOT KNOW WHAT
>THE PROGRAM IS (OR IS SUPPOSED TO DO) OPENS A VERRRRRRRRRRY LARGE SECURITY HOLE.
>
>> Just out of curiosity, what unix applications make use of a terminal's
>> capability to rebind function keys and/or have it type back arbitrary
---deleted---
>We routinely rebind the function keys at login time so that each user can
>have thier own set of meanings for the keys.
>
---deleted---
Binding a function key may not require the user(owner)'s ID or permissions.
When a user logs in the device they are on is set to rw--w--w-, which
allows others to write (using the command of the same name) to other
users. If the proper sequences can be sent to this device and the terminal
will accept them, then when the user on the terminal tries the function
key the result will be sent to the system and run with that users ID.
The ways to stop this include:
1) having the driver convert control characters to printing
ascii unless in raw mode (which hopefully can only be
done by the owner of the tty);
2) setting the permissions on the tty to rw-------, using
mesg n.
3) use a terminal that has no function keys or that cannot
be programmed from the computer side.
Otherwise, caveat emptor!
Bob McGowan (standard disclaimer, these are my own ...)
Customer Education, Wyse Technology, San Jose, CA
..!uunet!wyse!bob
bob at wyse.com
More information about the Comp.unix.questions
mailing list