TIOCNOTTY, TIOCSTI (was: Re: BSD tty security, part 4: What You Can Look Forward To)

Wed May 1 23:52:12 AEST 1991

In article <1991Apr29.222139.21284 at pcserver2.naitc.com>, kdenning at pcserver2 (Karl Denninger) writes:
>Both of us, I'm sure, would like to have some FACTS on this stuff.  TIOCSTI
>is well known as a problem, but I thought that was supposed to be restricted
>to use by root (unless it's your control terminal....).
>
>I think I just heard you say that was all malarkey, that anyone could
>TIOCSTI my root session while logged in over a pty, and that you could
>exploit those items to gain control of my session.
>
>From the manual pages, I believe it shouldn't work.
>
>If this is not true, I would like details.  Not just "fixes", or
>pontificating, but details.  I can patch around lots of things, and replace
>system code if necessary.  Without some DETAILS it's difficult at best.

Last I checked, TIOCSTI can be used on typical BSD systems whenever
you can open the tty for writing - which on most systems means always,
since when no one is logged on on the tty, the tty is writable to all.
On newer systems the owner and modes are changed when a user logs in
so that the tty is writable only by group tty, but this does not
really help since the program which wants to do TIOCSTI can open the
tty in advance.

It's been a while - couple of years or so - when I studied it, so I
don't remember all the details, but essentially the idea is that on
typical 4.3 bsd-derived systems any process can do TIOCNOTTY (notty,
notty ;-) and after that the first tty it opens becomes the control
terminal, after which you can open /dev/tty and do TIOCSTI on it.

The POSIX session stuff might have changed this on some newer
releases, I haven't checked.

Then there's also other tty stuff, like being able to do 'stty 0' on
another user's line on USG-style systems to log them off or change
their stty parametres in general.  I'm not sure if this works on BSD
systems.

Also, reading another terminal's input from the tty queues works
pretty nicely at least when that another terminal is on a 1200 bps
modem line.  There was a program posted to the net to do this a while
ago, the program needed some modifications but I got it working on 4.3
bsd ttys and SVR2 ttys (requires read access to kmem on both).

If anyone needs more info, I think I could with some effort find the
program to do the TIOC{NOTTY,STI} stuff, but it's really not that hard
to write.

Then of course there are these wonderful Quality Assured, Value Added
bsd-derived systems nowadays - on this machine I have found myself
several times on someone other's screen session, when for example
using ange-ftp from emacs.

//Jyrki