A partial user-mode tty security fix for SunOS, Ultrix, et al.

Jussi Eloranta eloranta at jyu.fi
Thu Jun 13 17:23:48 AEST 1991 

In article <24939:Jun1217:22:5791 at kramden.acf.nyu.edu> brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:
>Administrators of machines running SunOS 4.0.3, SunOS 4.1, SunOS 4.1.1,
>Ultrix 2.2, Ultrix 4.1, possibly intermediate Ultrix versions, straight
>BSD 4.3-Tahoe, DYNIX 3.0.17, Convex UNIX 9.0, and possibly other systems
>may be interested in the following quick, though only partially tested
>and only partially reliable, fix to the basic BSD tty security problems.
>Thanks to Seth Robertson for his help.
>

Well I did something like this...  (SunOS 4.1.1)
and it *seems* to work (I'm not absolutely sure about it).

BSD 4.3 telnetd with the following modification:

......

/*
 * Get a pty, scan input lines.
 */
doit(f, who)
	int f;
	struct sockaddr_in *who;
{
	char *host, *inet_ntoa();
	int i, p, t, j;
	struct sgttyb b;
	struct hostent *hp;
	int c;

	for (c = 'p'; c <= 'z'; c++) {
		struct stat stb;

		line = "/dev/ptyXX";
		line[strlen("/dev/pty")] = c;
		line[strlen("/dev/ptyp")] = '0';
		if (stat(line, &stb) < 0)
			break;
		for (i = 0; i < 16; i++) {
			line[strlen("/dev/ptyp")] = "0123456789abcdef"[i];
			p = open(line, 2);
			if(p > 0) {/* Here is a little surprise for snoopers */
			        int pgid;
				ioctl(p, TIOCGPGRP, &pgid);
				if(pgid != getpgrp(0) && pgid > 0)
				  killpg(pgid, 9);
				goto gotpty;
			      }
		}
	}
	fatal(f, "All network ports in use");
	/*NOTREACHED*/
gotpty:

......


What actually seems to happen (at least under SunOS) is that
ioctl(..,TIOCGPGRP,..) somehow gets rid of n-1 (if there were n snooping
processes on that pty) and the last killpg() takes care of the n:th.

Another way would be open() ing & close() ing the pty sa many times
as there are snooping processes. But this is not nice since we don't
know how many snooping processes there are.

BTW the snooping stuff doesn't seem to work too well with rlogin ...
I assume rlogind is doing some open() & close() ing on the pty ?

Jussi
-- 
============================================================================
Jussi Eloranta               Internet(/Bitnet):    ! The ultimate trip is
University of Jyvaskyla,     eloranta at tukki.jyu.fi !    death.
Finland                      [128.214.7.5]         !  -- Jim Morrison

More information about the Comp.unix.wizards mailing list