complexity != security (was Re: lpr output filters)

[Randal L. Schwartz @ Stonehenge]

In article <9712 at cslb.CSL.SRI.COM>, aida at porthos (Hitoshi Aida) writes:
| So, there is no perfect solution, but usually it is sufficient if making
| hard-copy is difficult enough.  How about this: as discussed early, make
| a special uid that can access the files.  Make a set-uid program which
| looks the termcap and display the content of the file in special manner.
| For example, use cursor motion to write characters in random order,
| produce different style of output (e.g. different number of columns in
| multi-column output) on each page to make the collection of "screen dump"
| difficult, and so on.  Of course it should refuse to show the file if the
| terminal looks like a printer (i.e. lacks some basic terminal capabilities).

Easy.  I then invoke GNU Emacs (available at a theatre near you, check
your local listings), and invoke 'terminal-emulator'.  Up comes a
window with a escape-sequence interpreter, presented to the
subprocesses in a nicely packaged TERMCAP.  I invoke your magic
program, wait for the first page to be "displayed", and dump the
buffer.

Big deal.

Complexity is not security.  And (or maybe, "because..."), what seems
complex to some people is often trivial to others.

About as close as you'll get is writing a program that outputs the
document to one of a hardwired set of /dev/ttyXX entries based on user
selection, and then ensure that everyone of those wires cannot be
undone (not likely) and that none of the terminals have "send screen
to host" or "hardcopy this" (not likely again).  "For your terminal
only" is pretty hard.
-- 
/=====Randal L. Schwartz, Stonehenge Consulting Services (503)777-0095========\
{        on contract to BiiN (for now :-) Hillsboro, Oregon, USA.             }
{<@intel-iwarp.arpa:merlyn at intelob.intel.com> ...!uunet!tektronix!biin!merlyn }
\=====Cute quote: "Welcome to Oregon... home of the California Raisins!"======/