BSD tty security, part 3: How to Fix It
Dan Bernstein
brnstnd at kramden.acf.nyu.edu
Mon May 6 08:46:20 AEST 1991
In article <kre.673430200 at mundamutti.cs.mu.OZ.AU> kre at cs.mu.oz.au (Robert Elz) writes:
> brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:
> >> for (fd = 3; fd < ENOUGH; fd++)
> >> close(fd);
> >I pointed this out in the proposal. I also pointed out that it only
> >affects programs which change fd 3 and then want to open /dev/tty
> No, this is not true - it affects programs that close fd 3, then
> exec any program that wants to open /dev/tty
(That's the same thing; program != process.) Right, which is why Marc
pointed out ksh. If you find other examples of such programs, please say
so here. If you can post patches too, great!
[ using descriptors other than 3 ]
> Its much more work for the vendors in their kernels, but at least its
> work that is mostly compatible with their current offerings.
It won't be any extra work if they pick the current maximum fd and
kludge getdtablesize() to subtract 1 from its answer. In any case, all
that's important for security is that *some* file descriptor be used
rather than the old /dev/tty driver.
---Dan
More information about the Comp.unix.wizards
mailing list