BSD tty security, part 3: How to Fix It

[John F Haugh II]

In article <29117:May621:05:1391 at kramden.acf.nyu.edu> brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:
>Yeah, I think you can make vhangup() chop /dev/tty without races if you
>change u_ttyd to p_ttyd throughout, fix all your process-status programs
>so that they don't crash with this change, and add some lines inside the
>vhangup() syscall. That doesn't do anything about current operations.

Like I said, the current operations can be fixed by finding all the
places that sleep waiting for an I/O operation to complete.  Add a
generation number or some such to the tty structure.  Save your
generation number before sleeping, and if they match when you wake
up, you win the prize.  There are zillions of ways to solve this
problem.

>> How about fixing that problem instead of creating another
>> hack?
>
>``Creating another hack''? Sheesh. The entire idea of having a separate
>tty security mechanism is a hack. /dev/tty represents an alternate
>method of file access, and as such makes security a whole lot more
>complicated than when there was only open(). That's the problem that
>/dev/stdtty fixes.

That's utter nonsense.  AIX supports /dev/tty and tty device
revocation, and the code to support both is no big deal.  It even
manages to get access via /dev/tty correct ...
-- 
John F. Haugh II        | Distribution to  | UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 255-8251 | GEnie PROHIBITED :-) |  Domain: jfh at rpp386.cactus.org
"If liberals interpreted the 2nd Amendment the same way they interpret the
 rest of the Constitution, gun ownership would be mandatory."