BSD tty security, part 3: How to Fix It

[Boyd Roberts]

In article <235 at harem.clydeunix.com>, wes at harem.clydeunix.com (Wes Peters) writes:
> 
> I think write should reject any input not from a terminal:
> 
>     if (!isatty(fileno(stdin))) {
>         fprintf(stderr, "write: input must be a terminal!\n");
>         exit(-1);
>     }
> 
> I know this will take care of 'cat longfile | write sucker', but does it
> also take care of a 'here is' document (i.e. shell << document)?
> 

But it still doesn't solve the problem.  I can still go <button1>-sweep-<button2>
on my X terminal and you'll still get a pile of junk.  Or, I can run the ubiquitous ``pty'' and probably achieve the same.

The problem is that the user should be able to specify a program to run that
displays the ``write'' information in the way the user likes.  I guess such
a thing would register with a server (security problem #1) and say here I
am to take care of any writes for user X.  It then talks a protocol with
any incoming write and displays the information the way the user wants.

UNIX write(1) is small and simple.  It does the job in a friendly environment.
It was not written to deal with boofheads who'd cat /dev/universe | write ...


Boyd Roberts			boyd at prl.dec.com

``When the going gets wierd, the weird turn pro...''